Quantum-proof multiparty key exchange system, quantum-proof multiparty terminal device, quantum-proof multiparty key exchange method, program, and recording medium

ABSTRACT

In Round1, each terminal device transmits a key encryption key which conforms to post-quantum cryptography to a neighboring terminal device; in Round2, each terminal device generates a key capsule of a key-shared-between-two-parties using the received key encryption key and returns the key capsule to a terminal device which is a source of the key encryption key; in Round3, each terminal device generates information based on the key-shared-between-two-parties and transmits the information to a key distribution management device and the key distribution management device distributes information, which is obtained based on these pieces of information, to the terminal devices. Each terminal device calculates a shared key based on the distributed information.

TECHNICAL FIELD

The present invention relates to cryptography and, in particular, to a multiparty key exchange technique.

BACKGROUND ART

Multiparty key exchange techniques include group key exchange (GKE), which is a key exchange in a mesh topology, and multi key distribution (MKD), which is a key exchange in a star topology. These key exchanges have problems such as an increase in communication costs proportional to the number of participants and transmission of a shared key to a key distribution management device. These problems were solved by DMKD (Dynamic Multi-Cast Key Distribution: Scalable, Dynamic and Provably Secure Construction) (see, for example, Patent Literature 1 and Non-patent Literature 1). This scheme makes it possible to perform a key exchange in constant Round regardless of the number of participants and conceal a shared key from a key distribution management device.

In recent years, research and development of quantum computers have been rapidly advanced, which may jeopardize the security of encryption. This promotes the study of a cryptosystem that cannot be broken by a quantum computer. Encryption that cannot be broken by a quantum computer is referred to as “quantum-safe” encryption.

PRIOR ART LITERATURE Patent Literature

Patent Literature 1: Japanese Patent Application Laid Open No. 2016-134826

Non-Patent Literature

Non-patent Literature 1: Kazuki Yoneyama, Reo Yoshida, Yuto Kawahara, Tetsutaro Kobayashi, Hitoshi Fuji, Tornohide Yamamoto, “Multi-Cast Key Distribution: Scalable, Dynamic and Provably Secure Construction,” International Conference on Provable Security (ProvSec 2016), LNCS10005, pp. 207-226, November 2016.

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

Although DMKD allows a multiparty key exchange to be efficiently and securely performed, DMKD is not quantum-safe. For that reason, if a quantum computer having sufficient computational capacity will be put to practical use in the future, the security of DMKD will not be assured. Moreover, since DMKD is based on a Diffie-Hellman (DH) key exchange between two parties which cannot be made quantum-proof easily, it is also not easy to modify DMKD so as to be a quantum-safe scheme.

The present invention has been made in view of these points and an object thereof is to provide a quantum-proof multiparty key exchange technique.

Means to Solve the Problems

A terminal device U_(i) stores a key capsule decryption key sk_(i) which conforms to post-quantum cryptography of a public key cryptosystem and outputs a key encryption key pk_(i) corresponding to the key capsule decryption key sk_(i). Here, n is an integer greater than or equal to 3 and i=1, . . . , n.

The terminal device U_(i) accepts a key encryption key pk_((i mod n)+1) which conforms to post-quantum cryptography, sets a random number k_(i), obtains, using the key encryption key pk_((i mod n)+1), a key-shared-between-two-parties R_(i, (i mod n)+1) and a key capsule C_(i, (i mod n)+1) which is cipher text of the key-shared-between-two-parties R_(i (i mod n)+1), outputs the key capsule C_(i, (i mod n)+1), and accepts a key capsule C_((i−2 mod n)+1, i). Here, for a positive integer α, −1 mod α=α−1.

A terminal device U₁ obtains a key-shared-between-two-parties R_(n, 1) by decrypting a key capsule C_(n, 1) using a key capsule decryption key sk₁, obtains a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n, 1), obtains a function value K₁ ^((R)) of a key-shared-between-two-parties R_(1, 2), obtains the XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)), obtains the XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and outputs the XORs T₁ and T′. A terminal device U_(v) obtains a key-shared-between-two-parties R_((v−2 mod n)+1, v) by decrypting a key capsule C_((v−2 mod n)+1, v) using a key capsule decryption key sk_(v), obtains a function value K_(v) ^((L)) of the key-shared-between-two-parties R_((v−2 mod n)+1, v), obtains a function value K_(v) ^((R)) of a key-shared-between-two-parties R_(v, (v mod n)+1), obtains the XOR T_(v) of the function value K_(v) ^((L)) and the function value K_(v) ^((R)), and outputs a random number k_(v) and the XOR T_(v). Here, v=2, . . . , n.

A key distribution management device obtains the XOR k′ of a plurality of values including random numbers k₂, . . . , k_(n) and outputs the XOR k′, and obtains the XOR T_(v)′ of XORs T₁, . . . , T_(v−1) and outputs the XOR T_(v)′.

The terminal device U₁ obtains a function value of the XOR of the XOR k′ and the random number k₁ as a shared key SK. The terminal device U_(v) obtains the function value K₁ ^((L)) by XORing the XOR T_(v)′ with the function value K_(v) ^((L)), obtains the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and obtains a function value of the XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK.

Effects of the Invention

In this way, it is possible to implement a quantum-proof multiparty key exchange.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating the configuration of a key exchange system of a first embodiment.

FIG. 2 is a block diagram illustrating the configuration of a terminal device of the embodiment.

FIG. 3 is a block diagram illustrating the configuration of a key distribution management device of the embodiment.

FIG. 4 is a diagram for explaining a key exchange method (Round1) of the embodiment.

FIG. 5 is a diagram for explaining the key exchange method (Round2) of the embodiment.

FIG. 6 is a diagram for explaining the key exchange method (Round3) of the embodiment.

FIG. 7 is a diagram for explaining the key exchange method (shared key generation) of the embodiment.

FIG. 8 is a block diagram illustrating the configuration of a key exchange system of a second embodiment.

FIG. 9 is a block diagram illustrating the configuration of a terminal device of the embodiment.

FIG. 10 is a diagram for explaining a key exchange method (Round1) of the embodiment, which is performed after the addition of a terminal device.

FIG. 11 is a diagram for explaining the key exchange method (Round2) of the embodiment, which is performed after the addition of a terminal device.

FIG. 12 is a diagram for explaining the key exchange method (Round3) of the embodiment, which is performed after the addition of a terminal device.

FIG. 13 is a diagram for explaining the key exchange method (shared key generation) of the embodiment, which is performed after the addition of a terminal device.

FIG. 14 is a block diagram illustrating the configuration of a key exchange system of a third embodiment.

FIG. 15 is a diagram for explaining a key exchange method (Round1) of the embodiment, which is performed after the separation of a terminal device.

FIG. 16 is a diagram for explaining the key exchange method (Round2) of the embodiment, which is performed after the separation of a terminal device.

FIG. 17 is a diagram for explaining the key exchange method (Round3) of the embodiment, which is performed after the separation of a terminal device.

FIG. 18 is a diagram for explaining the key exchange method (shared key generation) of the embodiment, which is performed after the separation of a terminal device.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

First Embodiment

A first embodiment will be described. In the first embodiment, processing to share a shared key among a plurality of terminal devices will be described.

<Configuration>

As illustrated in FIG. 1, a key exchange system 1 of the present embodiment includes n terminal devices 100-1 to 100-n (terminal devices U₁, . . . , U_(n)) and a key distribution management device 150. n is an integer greater than or equal to 3. Each terminal device 100-i (terminal device U_(i)) (where i=1, . . . , n) is configured so that the terminal device 100-i can communicate with the key distribution management device 150 through the Internet or the like.

As illustrated in FIG. 2, the terminal device 100-i includes an input unit 101-i, an output unit 102-i, a storage 103-i, a control unit 104-i, a key pair generation unit 105-i, a random number setting unit 106-i, a key-shared-between-two-parties generation unit 107-i, a decryption unit 108-i, a function operation unit 109-i, an XOR unit 110-i, a function value reconstruction unit 111-i, a random number reconstruction unit 113-i, and a shared key generation unit 112-i. The terminal device 100-i executes each processing under the control of the control unit 104-i. The data obtained by the processing is stored in the storage 103-i, and is read from the storage 103-i when necessary and used for other processing.

As illustrated in FIG. 3, the key distribution management device 150 includes an input unit 151, an output unit 152, an arithmetic unit 153, a control unit 154, an SID setting unit 155, an XOR unit 156, and a storage 157. The key distribution management device 150 executes each processing under the control of the control unit 154. The data obtained by the processing is stored in the storage 157, and is read from the storage 157 when necessary and used for other processing.

<Processing>

Next, key exchange processing of the present embodiment will be described. The key exchange processing of the present embodiment includes Round1, Round2, Round3, and shared key generation.

<<Round1 (FIG. 4)>>

The key pair generation unit 105-i (where i=1, . . . , n) of the terminal device 100-i (FIG. 2) generates a key pair (pk_(i), sk_(i)) consisting of a key capsule decryption key sk_(i), which conforms to post-quantum cryptography of a public key cryptosystem, and a key encryption key pk_(i) corresponding to the key capsule decryption key sk_(i). For example, the key pair generation unit 105-i generates a random number r_(i), generates a key pair (pk_(i), sk_(i)) by applying the random number r_(i) to a key generation algorithm of a key capsulation algorithm, and outputs the key pair (pk_(i), sk_(i)). The random number may be a pseudo random number or a true random number (the same applies hereinafter). Examples of post-quantum cryptography of the public key cryptosystem include lattice-based cryptography and code-based cryptography. As the key capsulation algorithm, the following key capsulation algorithm, for example, can be used.

Reference Literature 1: Chris Peikert, Lattice Cryptography for the Internet, PQCrypto 2014, LNCS 8772, pp. 197-219, 2014.

The generated key capsule decryption key sk_(i) and key encryption key pk_(i) are stored in the storage 103-i of each terminal device 100-i. Moreover, the key encryption key pk_(i) is output from the output unit 102-i and transmitted to the key distribution management device 150.

The key encryption key pk_(i) is input to (accepted by) the input unit 151 of the key distribution management device 150 (FIG. 3). As soon as the key encryption key pk_(i) is input to the input unit 151, the control unit 154 sends the key encryption key pk_(i) to the output unit 152 and the output unit 152 transmits the key encryption key pk_(i) to a terminal device 100-((i−2 mod n)+1). Here, for a positive integer α, −1 mod α=α−1 is satisfied.

<<Round2 (FIG. 5)>>

The input unit 101-i of the terminal device 100-i (FIG. 2) receives (accepts) a key encryption key pk_((i mod n)+1) and stores the key encryption key pk_((i mod n)+1) in the storage 103-i.

The random number setting unit 106-i of the terminal device 100-i sets a random number k_(i) and outputs the random number k_(i). The random number k is stored in the storage 103-i.

The key-shared-between-two-parties generation unit 107-i of the terminal device 100-i obtains, using the key encryption key pk_((i mod n)+1), a key-shared-between-two-parties R_(i, (i mod n)+1) and a key capsule C_(i, (i mod n)+1), which is cipher text of the key-shared-between-two-parties R_(i, (i mod n)+1), and outputs the key-shared-between-two-parties R_(i, (i mod n)+1) and the key capsule C_(i, (i mod n)+1). For example, the key-shared-between-two-parties generation unit 107-i generates the key-shared-between-two-parties R_(i, (i mod n)+1) and the key capsule C_(i, (i mod n)+1) by the method described in Reference Literature 1 and outputs the key-shared-between-two-parties R_(i, (i mod n)+1) and the key capsule C_(i, (i mod n)+1). The key-shared-between-two-parties R_(i, (i mod n)+1) is stored in the storage 103-i. The key capsule C_(i, (i mod n)+1) is output from the output unit 102-i and transmitted to the key distribution management device 150.

The input unit 151 of the key distribution management device 150 (FIG. 3) receives the key capsule C_(i, (i mod n)+1) transmitted from each terminal device 100-i (where i=1, . . . , n). The STD setting unit 155 generates sid (a session ID) and chooses the terminal device 100-1 as a representative terminal device. The arithmetic unit 153 generates (sid, C_(i, (i mod n)+1)). (sid, C_(i, (i mod n)+1)) is output from the output unit 152 and transmitted to a terminal device 100-((i mod n)+1). That is, the output unit 152 transmits (sid, C_((i−2 mod n)+1, i)) to the terminal device 100-i. Moreover, the output unit 152 transmits, to the terminal device 100-1, information (notification about being chosen as a representative) indicating that the terminal device 100-1 has been chosen as a representative terminal device.

<<Round3 (FIG. 6)>>

The terminal device 100-1 (terminal device U₁) and a terminal device 100-v (terminal device U_(v)), which is not the terminal device 100-1 (terminal device U₁), perform different processing in Round3 of the present embodiment. Here, v=2, . . . , n.

Terminal device 100-1 (terminal device U₁):

(sid, C_(n, 1)) and the notification about being chosen as a representative are input to (accepted by) the input unit 101-1 of the terminal device 100-1. When the notification about being chosen as a representative is received, the control unit 104-1 performs the following control.

The decryption unit 108-1 obtains a key-shared-between-two-parties R_(n, 1) by decrypting the key capsule C_(n, 1) using a key capsule decryption key sk₁ read from the storage 103-1 and outputs the key-shared-between-two-parties R_(n, 1). For instance, the decryption unit 108-1 obtains the key-shared-between-two-parties R_(n, 1) by the method described in Reference Literature 1 and outputs the key-shared-between-two-parties R_(n, 1). The key-shared-between-two-parties R_(n, 1) is stored in the storage 103-1.

Next, the function operation unit 109-1 obtains a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n, 1) and outputs the function value K₁ ^((L)). The function value K₁ ^((L)) may be a value that depends only on the key-shared-between-two-parties R_(n, 1) or a value that depends on the key-shared-between-two-parties R_(n, 1) and another piece of additional information. A “value that depends only on α₃” may be α₃ itself or a value corresponding to α₃. Here, K₁ ^((L))=K_(n) ^((R)) has to be satisfied for K_(n) ^((R)), which will be described later. For example, the function operation unit 109-1 obtains the function value K₁ ^((L))=F(sid, R_(n, 1)) that depends on the key-shared-between-two-parties R_(n, 1) and sid and outputs the function value K₁ ^((L)). An example of F(α₁, α₂) is a function value of a bit concatenation value α₁|α₂ of α₁ and α₂. An example of F is a one-way function. An example of the one-way function is a hash function (for instance, a cryptographic hash function). The function value K₁ ^((L)) is stored in the storage 103-1.

Moreover, the function operation unit 109-1 reads a key-shared-between-two-parties R_(1, 2) from the storage 103-1, and obtains a function value K₁ ^((R)) of the key-shared-between-two-parties R_(1, 2) and outputs the function value K₁ ^((R)). The function value K₁ ^((R)) may be a value that depends only on the key-shared-between-two-parties R_(1, 2) or a value that depends on the key-shared-between-two-parties R_(1, 2) and another piece of additional information. Here, K₁ ^((R))=K₂ ^((L)) has to be satisfied for K₂ ^((L)), which will be described later. For instance, the function operation unit 109-1 obtains the function value K ₁ ^((R)) =F(sid,R _(1, 2)) that depends on the key-shared-between-two-parties R_(1, 2) and sid and outputs the function value K₁ ^((R)). The function value K₁ ^((R)) is stored in the storage 103-1.

The function value K₁ ^((L)) and the function value K₁ ^((R)) are input to the XOR unit 110-1. The XOR unit 110-1 obtains the XOR T ₁ =K ₁ ^((L))(+)K ₁ ^((R)) of the function value K₁ ^((L)) and the function value K₁ ^((R)) and outputs the XOR T₁. α₁(+)α₂ represents the XOR of α₁ and α₂. When at least one of α₁ and α₂ is not a bit string, the XOR of α₁ and α₂ represents the XOR of α₁ and α₂ expressed by a bit string.

A random number k₁ read from the storage 103-1 is further input to the XOR unit 110-1. The XOR unit 110-1 obtains the XOR T′=B(k ₁(+)K ₁ ^((L)) of a function value B(k₁) of the random number k₁ and the function value K₁ ^((L)) and outputs the XOR T′. The function value B(k₁) may be a value that depends only on the random number k₁ or a value that depends on the random number k₁ and another piece of additional information. Here, the random number k₁ has to be easily extractable from the function value B(k₁). An example of the function value B(k₁) is bit concatenation k₁|β of the random number k₁ and another piece of additional information β.

The XORs T₁ and T′ are output from the output unit 102-1 and transmitted to the key distribution management device 150.

Terminal device 100-v (Terminal device U_(v)):

(sid, C_((v−2 mod n)+1, v)) is input to (accepted by) the input unit 101-v of the terminal device 100-v (where v=2, . . . , n). When the notification about being chosen as a representative is not received, the control unit 104-v performs the following control.

The decryption unit 108-v obtains a key-shared-between-two-parties R_((v−2 mod n)+1, v) by decrypting the key capsule C_((v−2 mod n)+1, v) using a key capsule decryption key sk_(v) read from the storage 103-v and outputs the key-shared-between-two-parties R_((v−2 mod n)+1, v). For example, the decryption unit 108-v obtains the key-shared-between-two-parties R_((v−2 mod n)+1, v) by the method described in Reference Literature 1 and outputs the key-shared-between-two-parties R_((v−2 mod n)+1, v). The key-shared-between-two-parties to R_((v−2 mod n)+1, v) is stored in the storage 103-v.

The function operation unit 109-v obtains a function value K_(v) ^((L)) of the key-shared-between-two-parties R_((v−2 mod n)+1, v) and outputs the function value K_(v) ^((L)). The function value K_(v) ^((L)) may be a value that depends only on the key-shared-between-two-parties R_((v−2 mod n)+1, v) or a value that depends on the key-shared-between-two-parties R_((v−2 mod n)+1, v) and another piece of additional information. Here, K_(v) ^((L))=K_((v−2 mod n)+1) ^((R)) has to be satisfied for K_((v−2 mod n)+1) ^((R)), which will be described later. For instance, the function operation unit 109-v obtains the function value K _(v) ^((L)) =F(sid,R _((v−2 mod n)+1, v)) that depends on the key-shared-between-two-parties R_((v−2 mod n)+1, v) and sid and outputs the function value K_(v) ^((L)). The function value K_(v) ^((L)) is stored in the storage 103-v.

The function operation unit 109-v reads a key-shared-between-two-parties R_(v, (v mod n)+1) from the storage 103-v, and obtains a function value K_(v) ^((R)) of the key-shared-between-two-parties R_(v, (v mod n)+1) and outputs the function value K_(v) ^((R)). The function value K_(v) ^((R)) may be a value that depends only on the key-shared-between-two-parties R_(v, (v mod n)+1) or a value that depends on the key-shared-between-two-parties R_(v, (v mod n)+1) and another piece of additional information. Here, K_(v) ^((R))=K_((v mod n)+1) ^((L)) has to be satisfied. For instance, the function operation unit 109-v obtains the function value K _(v) ^((R)) =F(sid,R _(v, (v mod n)+1)) that depends on the key-shared-between-two-parties R_(v, (v mod n)+1) and sid and outputs the function value K_(v) ^((R)). The function value K_(v) ^((R)) is stored in the storage 103-v.

The function value K_(v) ^((L)) and the function value K_(v) ^((R)) are input to the XOR unit 110-v. The XOR unit 110-v obtains the XOR T _(v) =K _(v) ^((L))(+)K _(v) ^((R)) of the function value K_(v) ^((L)) and the function value K_(v) ^((R)) and outputs the XOR T_(v).

A random number k_(v) and the XOR T_(v) are output from the output unit 102-v and transmitted to the key distribution management device 150.

The XORs T₁, . . . , T_(n), and T′ and random numbers k₂, . . . , k_(n) are input to the input unit 151 of the key distribution management device 150 (FIG. 3) and stored in the storage 157. The XOR unit 156 obtains the XOR k′ of a plurality of values including the random numbers k₂, . . . , k_(n) read from the storage 157 and outputs the XOR k′. The XOR k′ of a plurality of values including the random numbers k₂, . . . , k_(n) may be the XOR of the random numbers k₂, . . . , k_(n) or the XOR of the random numbers k₂, . . . , k_(n) and another additional value. For example, the arithmetic unit 153 generates a random number k_(s), and the XOR unit 156 obtains the XOR k′=k ₂(+) . . . (+)k _(n)(+)k _(s) of the random numbers k₂, . . . , k_(n) and k_(s) and outputs the XOR k′.

Moreover, the XOR unit 156 reads XORs T₁, . . . , T_(v−1) from the storage 157 for v=2, . . . , n, obtains the XOR T _(v) ′=T ₁(+) . . . (+)T _(v−1) of the XORs T₁, . . . , T_(v−1), and outputs the XOR T_(v)′.

The output unit 152 transmits the XOR k′ to the terminal device 100-1 and transmits the XORs T′, k′, and T_(v)′ to the terminal device 100-v (where v=2, . . . , n).

<<Shared Key Generation (FIG. 7)>>

The terminal device 100-1 (terminal device U₁) and the terminal device 100-v (terminal device U_(v)), which is not the terminal device 100-1 (terminal device U₁), perform different processing in shared key generation.

Terminal device 100-1 (terminal device U₁):

The XOR k′ is input to (accepted by) the input unit 101-1 of the terminal device 100-1. The shared key generation unit 112-1 obtains a function value of the XOR k′(+)k₁ of the XOR k′ and the random number k₁ read from the storage 103-1 as a shared key SK=F′(k′(+)k ₁) and outputs the shared key SK. An example of F′ is a one-way function. The shared key SK may be a value that depends only on k′(+)k₁ or a value that depends on k′(+)k₁ and another piece of additional information. Examples of the other piece of additional information are sid and a key obtained based on another cryptosystem (for example, attribute-based encryption).

Reference Literature 2 (attribute-based encryption): Yongtao Wang, “Lattice Ciphertext Policy Attribute-based Encryption in the Standard Model,” International Journal of Network Security, Vol. 16, No. 6, PP. 444-451, November 2014.

Terminal device 100-v (terminal device U_(v)):

The XORs T′, k′, and T_(v)′ are input to (accepted by) the input unit 101-v of the terminal device 100-v. The function value reconstruction unit 111-v obtains the function value K₁ ^((L)) by XORing the XOR T_(v)′ with the function value K_(v) ^((L)) read from the storage 103-v and outputs the function value K₁ ^((L)). The reason why the function value K₁ ^((L)) is obtained is as follows. T _(v)′(+)K _(v) ^((L)) =T ₁(+) . . . (+)T _(v−1)(+)K _(v) ^((L)) =K ₁ ^((L))(+)K ₁ ^((R)(+)) K ₂ ^((L))(+)K ₂ ^((R))(+) . . . (+)K _(v−1) ^((L))(+)K _(v−1) ^((R))(+)K _(v) ^((L)) =K ₁ ^((L))

The random number reconstruction unit 113-v obtains the function value B(k₁) of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)) and outputs the function value B(k₁). The reason why the function value B(k₁) is obtained is as follows. T′(+)K ₁ ^((L)) =B(k ₁)(+)K ₁ ^((L))(+)K ₁ ^((L)) =B(k ₁)

The shared key generation unit 112-v extracts the random number k₁ from the function value B(k₁) (for example, B(k₁)=k₁|β), and obtains a function value of the XOR k′(+)k₁ of the XOR k′ and the random number k₁ obtained from the function value B(k₁) as the shared key SK=F′(k′(+)k ₁) and outputs the shared key SK.

In the storage 103-i (where i=1, . . . , n) of each terminal device 100-i (terminal device U_(i)), a function value r=F″(SK) updated by using the shared key SK and keys-shared-between-two-parties H_(i) ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R))=R_(i, (i mod n)+1) are stored.

<Features of the Present Embodiment>

In the present embodiment, a key capsule-type key exchange between two parties is adopted, which makes it possible to perform a key exchange between two parties which conforms to post-quantum cryptography of the public key cryptosystem and, by using this key exchange, configure a quantum-safe multiparty key exchange system. That is, in Round1, each terminal device transmits a key encryption key which conforms to post-quantum cryptography to a neighboring terminal device; in Round2, each terminal device generates a key capsule of a key-shared-between-two-parties using the received key encryption key and returns the key capsule to a terminal device which is a source of the key encryption key; in Round3, each terminal device generates information based on the key-shared-between-two-parties and transmits the information to the key distribution management device and the key distribution management device distributes information, which is obtained based on these pieces of information, to the terminal devices. Each terminal device can calculate a shared key based on the distributed information. On the other hand, the key distribution management device cannot know a shared key from the information sent from each terminal device. The processing to share a key-shared-between-two-parties is quantum-safe, and a multiparty key exchange based thereon is also quantum-safe.

Second Embodiment

A second embodiment will be described. In the second embodiment, after the processing of the first embodiment is performed, a new terminal device 100-(n+1) (terminal device U_(n+1)) is added and a shared key SK is shared among n+1 terminal devices 100-1 to 100-(n+1) (terminal devices U₁, . . . , U_(n+1)).

<Configuration>

As illustrated in FIG. 8, a key exchange system 2 of the present embodiment includes n terminal devices 100-1 to 100-n (terminal devices U₁, . . . , U_(n)), a new terminal device 100-(n+1) (terminal device U_(i+1)) which is added, and a key distribution management device 150. Each terminal device 100-i (terminal device U_(i)) (where i=1, . . . , n) and the terminal device 100-(n+1) are configured so that the terminal device 100-i and the terminal device 100-(n+1) can communicate with the key distribution management device 150 through the Internet or the like.

As illustrated in FIG. 9, the terminal device 100-(n+1) includes an input unit 101-(n+1), an output unit 102-(n+1), a storage 103-(n+1), a control unit 104-(n+1), a key pair generation unit 105-(n+1), a random number setting unit 106-(n+1), a key-shared-between-two-parties generation unit 107-(n+1), a decryption unit 108-(n+1), a function operation unit 109-(n+1), an XOR unit 110-(n+1), a function value reconstruction unit 111-(n+1), a random number reconstruction unit 113-(n+1), and a shared key generation unit 112-(n+1). The terminal device 100-(n+1) executes each processing under the control of the control unit 104-(n+1). The data obtained by the processing is stored in the storage 103-(n+1), and is read from the storage 103-(n+1) when necessary and used for other processing.

<Processing>

Next, key exchange processing which is performed after the addition of the terminal device 100-(n+1) will be described. The key exchange processing of the present embodiment includes Round1, Round2, Round3, and shared key generation. It is assumed that the function value r=F″(SK) of the shared key SK and the keys-shared-between-two-parties H_(i) ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R))=R_(i, (i mod n)+1), which were obtained by the processing of the first embodiment, are stored in the storage 103-i (where i=1, . . . , n) of each terminal device 100-i (terminal device U_(i)) (FIG. 2).

<<Round1 (FIG. 10)>>

Terminal device 100-1 (terminal device U₁):

The key pair generation unit 105-1 of the terminal device 100-1 (FIG. 2) generates a key pair (pk₁, sk₁) consisting of a key capsule decryption key sk₁, which conforms to post-quantum cryptography of the public key cryptosystem, and a key encryption key pk₁ corresponding to the key capsule decryption key sk₁. The generated key capsule decryption key sk₁ and key encryption key pk₁ are stored in the storage 103-1. Moreover, the key encryption key pk₁ is output from the output unit 102-1 and transmitted to the key distribution management device 150.

Terminal device 100-(n+1) (terminal device U_(n+i)):

The key pair generation unit 105-(n+1) of the terminal device 100-(n+1) (FIG. 9) generates a key pair (pk_(n+1), sk_(n+1)) consisting of a key capsule decryption key sk_(n+1), which conforms to post-quantum cryptography of the public key cryptosystem, and a key encryption key pk_(n+1) corresponding to the key capsule decryption key sk_(n+1). The generated key capsule decryption key sk_(n+1) and key encryption key pk_(n+1) are stored in the storage 103-(n+1). Moreover, the key encryption key pk_(n+1) is output from the output unit 102-(n+1) and transmitted to the key distribution management device 150.

The key encryption keys pk₁ and pk_(n+1) are input to the input unit 151 of the key distribution management device 150 (FIG. 3). As soon as the key encryption key pk₁ is input to the input unit 151, the control unit 154 sends the key encryption key pk₁ to the output unit 152 and the output unit 152 transmits the key encryption key pk₁ to the terminal device 100-(n+1). As soon as the key encryption key pk_(n+1) is input to the input unit 151, the control unit 154 sends the key encryption key pk_(n+1) to the output unit 152 and the output unit 152 transmits the key encryption key pk_(n+1) to the terminal device 100-n.

<<Round2 (FIG. 11)>>

Terminal device 100-n (terminal device U_(n)):

The input unit 101-n of the terminal device 100-n (FIG. 2) receives the key encryption key pk_(n+1) and stores the key encryption key pk_(n+1) in the storage 103-n.

The random number setting unit 106-n of the terminal device 100-n sets a random number k_(n) and outputs the random number k_(n). The random number k_(n) is stored in the storage 103-n.

The key-shared-between-two-parties generation unit 107-n obtains, using the key encryption key pk_(n+1), a key-shared-between-two-parties R_(n, n+1) and a key capsule C_(n, n+1), which is cipher text of the key-shared-between-two-parties R_(n, n+1) and outputs the key-shared-between-two-parties R_(n, n+1) and the key capsule C_(n, n+1) (see, for example, Reference Literature 1 and the like). The key-shared-between-two-parties R_(n, n+1) is stored in the storage 103-n. The key capsule C_(n, n+1) is output from the to output unit 102-n and transmitted to the key distribution management device 150.

Terminal device 100-(n+1) (terminal device U_(n+1)):

The input unit 101-(n+1) of the terminal device 100-(n+1) (FIG. 9) receives (accepts) the key encryption key pk₁ and stores the key encryption key pk₁ in the storage 103-(n+1).

The random number setting unit 106-(n+1) of the terminal device 100-(n+1) sets a random number k_(n+1) and outputs the random number k_(n+1). The random number k_(n+1) is stored in the storage 103-(n+1).

The key-shared-between-two-parties generation unit 107-(n+1) obtains, using the key encryption key pk₁, a key-shared-between-two-parties R_(n+1, 1) and a key capsule C_(n+1, 1), which is cipher text of the key-shared-between-two-parties R_(n+1, 1), and outputs the key-shared-between-two-parties R_(n+1, 1) and the key capsule C_(n+1, 1) (see, for example, Reference Literature 1 and the like). The key-shared-between-two-parties R_(n+1, 1) is stored in the storage 103-(n+1). The key capsule C_(n+1, 1) is output from the output unit 102-(n+1) and transmitted to the key distribution management device 150.

Terminal device 100-ρ (terminal device U_(ρ)):

The random number setting unit 106-ρ of the terminal device 100-ρ (where ρ=1, . . . , n−1) sets a random number k_(ρ) and outputs the random number k_(ρ). The random number k_(ρ) is stored in the storage 103-ρ.

The input unit 151 of the key distribution management device 150 (FIG. 3) receives the key capsule C_(n, n+1) transmitted from the terminal device 100-n and the key capsule C_(n+1, 1) transmitted from the terminal device 100-(n+1). The SID setting unit 155 newly generates sid and chooses the terminal device 100-1 as a representative terminal device. The arithmetic unit 153 generates (sid, and (sid, C_(n, n+1)). (sid, C_(n, n+1)) is output from the output unit 152 and transmitted to the terminal device 100-(n+1). (sid, C_(n+1, 1)) is output from the output unit 152 and transmitted to the terminal device 100-1. The output unit 152 transmits, to the terminal device 100-1, information (notification about being chosen as a representative) indicating that the terminal device 100-1 has been chosen as a representative terminal device. Furthermore, sid is output from the output unit 152 and transmitted to a terminal device 100-v (where v=2, . . . , n).

<<Round3 (FIG. 12)>>

The terminal device 100-1 (terminal device U₁), the terminal device 100-n (terminal device U_(n)), the terminal device 100-(n+1) (terminal device U_(n+1)), and a terminal device 100-z (terminal device U_(z)), which is not the terminal device 100-1 (terminal device U₁), the terminal device 100-n (terminal device U_(n)), and the terminal device 100-(n+1) (terminal device U_(n+1)), perform different processing in Round3 of the present embodiment. Here, z=2, . . . , n−1.

Terminal device 100-1 (terminal device U₁):

(sid, C_(n+1, 1)) and the notification about being chosen as a representative are input to the input unit 101-1 of the terminal device 100-1. When the notification about being chosen as a representative is received, the control unit 104-1 performs the following control.

The decryption unit 108-1 obtains the key-shared-between-two-parties R_(n+1, 1) by decrypting the key capsule C_(n+1, 1) using the key capsule decryption key sk₁ read from the storage 103-1 and outputs the key-shared-between-two-parties R_(n+1, 1). The key-shared-between-two-parties R_(n+1, 1) is stored in the storage 103-1.

Next, the function operation unit 109-1 obtains a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n+1, 1) and outputs the function value K₁ ^((L)). The function value K₁ ^((L)) may be a value that depends only on the key-shared-between-two-parties R_(n+1, 1) or a value that depends on the key-shared-between-two-parties R_(1+1, 1) and another piece of additional information. Here, K₁ ^((L))=K_(n+1) ^((R)) has to be satisfied for K_(n+1) ^((R)), which will be described later. For instance, the function operation unit 109-1 obtains the function value K ₁ ^((L)) =F(sid,R _(n+1, 1)) that depends on the key-shared-between-two-parties R_(n+1, 1) and sid and outputs the function value K₁ ^((L)). The function value K₁ ^((L)) is stored in the storage 103-1.

Moreover, the function operation unit 109-1 reads the function value r from the storage 103-1, and obtains a function value K₁ ^((R)) of the function value r and outputs the function value K₁ ^((R)). The function value K₁ ^((R)) may be a value that depends only on the function value r or a value that depends on the function value r and another piece of additional information. Here, K₁ ^((R))=K_(n) ^((L)) has to be satisfied. For instance, the function operation unit 109-1 obtains the function value K ₁ ^((R)) =F(sid,r) that depends on the function value r and sid and outputs the function value K₁ ^((R)). The function value K₁ ^((R)) is stored in the storage 103-1.

The function value K₁ ^((L)) and the function value K₁ ^((R)) are input to the XOR unit 110-1. The XOR unit 110-1 obtains the XOR T ₁ =K ₁ ^((L))(+)K ₁ ^((R)) of the function value K₁ ^((L)) and the function value K₁ ^((R)) and outputs the XOR T₁.

A random number k₁ read from the storage 103-1 is further input to the XOR unit 110-1. The XOR unit 110-1 obtains the XOR T′=B(k ₁)(+)K ₁ ^((L)) of a function value B(k₁) of the random number k₁ and the function value K₁ ^((L)) and outputs the XOR T′. As described earlier, an example of the function value B(k₁) is bit concatenation k₁|β of the random number k₁ and another piece of additional information β.

The XORs T₁ and T′ are output from the output unit 102-1 and transmitted to the key distribution management device 150.

Terminal device 100-n (terminal device U_(n)):

The function operation unit 109-n reads the function value r from the storage 103-n, and obtains a function value K_(n) ^((L)) of the function value r and outputs the function value K_(n) ^((L)). The function value K_(n) ^((L)) may be a value that depends only on the function value r or a value that depends on the function value r and another piece of additional information. Here, K_(n) ^((L))=K₁ ^((R)) has to be satisfied. For instance, the function operation unit 109-n obtains the function value K _(n) ^((L)) =F(sid,r) that depends on the function value r and sid and outputs the function value K_(n) ^((L)). The function value K_(n) ^((L)) is stored in the storage 103-n.

The function operation unit 109-n reads the key-shared-between-two-parties R_(n, n+1) from the storage 103-n, and obtains a function value K_(n) ^((R)) of the key-shared-between-two-parties R_(n, n+1) and outputs the function value K_(n) ^((R)). The function value K_(n) ^((R)) may be a value that depends only on the key-shared-between-two-parties R_(n, n+1) or a value that depends on the key-shared-between-two-parties R_(n, n+1) and another piece of additional information. Here, K_(n) ^((R))=K_(n+1) ^((L)) has to be satisfied. For instance, the function operation unit 109-n obtains the function value K _(n) ^((R)) =F(sid,R _(n,n+1)) that depends on the key-shared-between-two-parties R_(n, n+1) and sid and outputs the function value K_(n) ^((R)). The function value K_(n) ^((R)) is stored in the storage 103-n.

The function value K_(n) ^((L)) and the function value K_(n) ^((R)) are input to the XOR unit 110-n. The XOR unit 110-n obtains the XOR T _(n) =K _(n) ^((L))(+)K _(n) ^((R)) of the function value K_(n) ^((L)) and the function value K_(n) ^((R)) and outputs the XOR T_(n).

The random number k_(n) read from the storage 103-n and the XOR T_(n) are output from the output unit 102-n and transmitted to the key distribution management device 150.

Terminal device 100-(n+1) (terminal device U_(n+1)):

(sid, C_(n, n+1)) is input to the input unit 101-(n+1) of the terminal device 100-(n+1).

The decryption unit 108-(n+1) obtains the key-shared-between-two-parties R_(n, n+1) by decrypting the key capsule C_(n, n+1) using the key capsule decryption key sk_(n+1) read from the storage 103-(n+1) and outputs the key-shared-between-two-parties R_(n, n+1). The key-shared-between-two-parties R_(n, n+1) is stored in the storage 103-(n+1).

Next, the function operation unit 109-(n+1) obtains a function value K_(n+1) ^((L)) of the key-shared-between-two-parties R_(n, n+1) and outputs the function value K_(n+1) ^((L)). The function value K_(n+1) ^((L)) may be a value that depends only on the key-shared-between-two-parties R_(n, n+1) or a value that depends on the key-shared-between-two-parties R_(n, n+1) and another piece of additional information. Here, K_(n+1) ^((L))=K_(n) ^((R)) has to be satisfied. For instance, the function operation unit 109-(n+1) obtains the function value K _(n+1) ^((L)) =F(sid,R _(n, n+1)) that depends on the key-shared-between-two-parties R_(n, n+1) and sid and outputs the function value K_(n+1) ^((L)). The function value K_(n+1) ^((L)) is stored in the storage 103-(n+1).

The function operation unit 109-(n+1) reads the key-shared-between-two-parties R_(n+1, 1) from the storage 103-(n+1), and obtains a function value K_(n+1) ^((R)) of the key-shared-between-two-parties R_(n+1, 1) and outputs the function value K_(n+1) ^((R)). The function value K_(n+1) ^((R)) may be a value that depends only on the key-shared-between-two-parties R_(n+1, 1) or a value that depends on the key-shared-between-two-parties R_(n+1, 1) and another piece of additional information. Here, K_(n+1, 1) ^((R))=K₁ ^((L)) has to be satisfied. For instance, the function operation unit 109-(n+1) obtains the function value K _(n+1) ^((R)) =F(sid,R _(n+1, 1)) that depends on the key-shared-between-two-parties R_(n+1, 1) and sid and outputs the function value K_(n+1) ^((R)). The function value K_(n+1) ^((R)) is stored in the storage 103-(n+1).

The function value K_(n+1) ^((L)) and the function value K_(n+1) ^((R)) are input to the XOR unit 110-(n+1). The XOR unit 110-(n+1) obtains the XOR T _(n+1) =K _(n+1) ^((L))(+)K _(n+1) ^((R)) of the function value K_(n+1) ^((L)) and the function value K_(n+1) ^((R)) and outputs the XOR T_(n+1).

The random number k_(n+1) read from the storage 103-(n+1) and the XOR T_(n+1) are output from the output unit 102-(n+1) and transmitted to the key distribution management device 150.

Terminal device 100-z (terminal device U_(z)) (z=2, . . . , n−1):

A random number k_(z) read from the storage 103-z is output from the output unit 102-z and transmitted to the key distribution management device 150.

The XORs T₁, T_(n), T_(n+1), and and random numbers k₂, . . . , k_(n+1) are input to the input unit 151 of the key distribution management device 150 (FIG. 3) and stored in the storage 157. The XOR unit 156 obtains the XOR k′ of a plurality of values including the random numbers k₂, . . . , k_(n+1) read from the storage 157 and outputs the XOR k′. The XOR k′ of a plurality of values including the random numbers k₂, . . . , k_(n+1) may be the XOR of the random numbers k₂, . . . , k_(n+1) or the XOR of the random numbers k₂, . . . , k_(n+1) and another additional value. For example, the arithmetic unit 153 generates a random number k_(s), and the XOR unit 156 obtains the XOR k′=k ₂(+) . . . (+)k _(n+1)(+)k _(s) of the random numbers k₂, k_(n+1) and k_(s) and outputs the XOR k′.

Moreover, the XOR unit 156 reads the XORs T₁, . . . , T_(w−1) from the storage 157 for w=2, . . . , n+1, and obtains the XOR T _(w) ′=T ₁(+) . . . (+)T _(w−1) of the XORs T₁, . . . , T_(w−1), of which the XORs T₂, . . . , T_(n−1) are nulls, and outputs the XOR T_(w)′. That is, T_(w)′=T₁ when 2≤w≤n and T_(w)′=T₁(+)T_(n) when w=n+1.

The output unit 152 transmits the XOR k′ to the terminal device 100-1 and transmits the XORs T′, k′, and T_(w)′ to a terminal device 100-w (where w=2, . . . , n+1).

<<Shared Key Generation (FIG. 13)>>

The terminal device 100-1 (terminal device U₁), the terminal device 100-n (terminal device U_(n)), the terminal device 100-(n+1) (terminal device U_(n+1)), and the terminal device 100-ρ (terminal device U_(ρ)), which is not the terminal device 100-1 (terminal device U₁), the terminal device 100-n (terminal device U_(n)), and the terminal device 100-(n+1) (terminal device U_(n+1)), perform different processing in shared key generation.

Terminal device 100-1 (terminal device U₁):

The XOR k′ is input to the input unit 101-1 of the terminal device 100-1. The shared key generation unit 112-1 obtains a function value of the XOR k′(+)k₁ of the XOR k′ and the random number k₁ read from the storage 103-1 as a shared key SK=F′(k′(+)k ₁) and outputs the shared key SK.

Terminal device 100-n (terminal device U_(n)):

The XORs T′, k′, and T_(n)′ are input to the input unit 101-n of the terminal device 100-n. The function value reconstruction unit 111-n obtains the function value K₁ ^((L)) by XORing the XOR T_(n)′ with the function value K_(n) ^((L)) read from the storage 103-n and outputs the function value K₁ ^((L)). The reason why the function value K₁ ^((L)) is obtained is as follows (the XORs T₂, . . . , T_(n−1) are nulls and K₁ ^((R))=K_(n) ^((L))). T _(n)′(+)K _(n) ^((L)) =T ₁(+) . . . (+)T _(n−1)(+)K _(n) ^((L)) =T ₁(+)K _(n) ^((L)) K ₁ ^((L))(+)K ₁ ^((R))(+)K _(n) ^((L)) =K ₁ ^((L))

The random number reconstruction unit 113-n obtains the function value B(k₁) of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((R)) and outputs the function value B(k₁). The reason why the function value B(k₁) is obtained has been described earlier.

The shared key generation unit 112-n extracts the random number k₁ from the function value B(k₁) (for example, B(k₁)=k₁|β), and obtains a function value of the XOR k′(+)k₁ of the XOR k′ and the random number k₁ obtained from the function value B(k₁) as the shared key SK=F′(k′(+)k ₁) and outputs the shared key SK.

Terminal device 100-(n+1) (terminal device U_(n+1)):

The XORs T′, k′, and T_(n+1)′ are input to the input unit 101-(n+1) of the terminal device 100-(n+1). The function value reconstruction unit 111-(n+1) obtains the function value K₁ ^((L)) by XORing the XOR T_(n+1)′ with the function value K_(n+1) ^((L)) read from the storage 103-(n+1) and outputs the function value K₁ ^((L)). It is to be noted that the reason why the function value K₁ ^((L)) is obtained is as follows (the XORs T₂, . . . , T_(n−1) are nulls and K₁ ^((R))=K_(n) ^((L)) and K_(n) ^((R))=K_(n+1) ^((L))). T _(n+1)′(+)K _(n+1) ^((L)) =T ₁(+) . . . (+)T _(n)(+)K _(n+1) ^((L)) =T ₁(+)T _(n)(+)K _(n+1) ^((L)) =K ₁ ^((L))(+)K ₁ ^((R))(+)K _(n) ^((L))(+)K _(n) ^((R))(+)K _(n+1) ^((L)) =K ₁ ^((L))

The random number reconstruction unit 113-(n+1) obtains the function value B(k₁) of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)) and outputs the function value B(k₁).

The shared key generation unit 112-(n+1) extracts the random number k₁ from the function value B(k₁) (for example, B(k₁)=k₁|β), and obtains a function value of the XOR k′(+)k₁ of the XOR k′ and the random number k₁ obtained from the function value B(k₁) as the shared key SK=F′(k′(+)k ₁) and outputs the shared key SK.

Terminal device 100-ρ (terminal device U_(ρ)) (ρ=1, . . . , n−1):

The XORs T′, k′, and T_(ρ)′ are input to the input unit 101-ρ of the terminal device 100-ρ. The function value reconstruction unit 111-ρ obtains the function value K₁ ^((L)) by XORing the XOR T_(ρ)′ with the function value (=K₁ ^((R))) of the function value r read from the storage 103-ρ and outputs the function value K₁ ^((L)).

The random number reconstruction unit 113-ρ obtains the function value B(k₁) of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)) and outputs the function value B(k₁).

The shared key generation unit 112-ρ extracts the random number k₁ from the function value B(k₁) (for example, B(k₁)=K₁|β), and obtains a function value of the XOR k′(+)k₁ of the XOR k′ and the random number k₁ obtained from the function value B(k₁) as the shared key SK=F′(k′(+)k ₁) and outputs the shared key SK.

In the storage 103-i ^((L)) (where i″=1, . . . , n+1) of each terminal device 100-i″ (terminal device U_(i″)), the function value r=F″(SK) updated by using the new shared key SK and keys-shared-between-two-parties H_(i″) ^((L))=R_((i″−2 mod n)+1, i″) and H_(i″) ^((R))=R_(i″, (i″ mod n)+1) are stored.

<Features of the Present Embodiment>

In the present embodiment, the key capsule-type key exchange between two parties is adopted, which makes it possible to perform a key exchange between two parties which conforms to post-quantum cryptography of the public key cryptosystem and, by performing the above-described processing using this key exchange, perform a quantum-safe multiparty key exchange with an added new terminal device.

Third Embodiment

A third embodiment will be described. In the third embodiment, after the processing of the first embodiment is performed, any terminal device 100-j (terminal device U_(j)) (j is an integer greater than or equal to 1 and less than or equal to n) leaves the system and the other n−1 terminal devices 100-1 to 100-(j−1) and 100-(j+1) to 100-n (terminal devices U₁, . . . , U_(j−1) and U_(j+1), . . . , U_(n)) share a new shared key SK.

<Configuration>

As illustrated in FIG. 14, a key exchange system 3 of the present embodiment includes n terminal devices 100-1 to 100-n (terminal devices U₁, . . . , U_(n)) and a key distribution management device 150. Each terminal device 100-i (terminal device U_(i)) (where i=1, . . . , n) is configured so that the terminal device 100-i can communicate with the key distribution management device 150 through the Internet or the like.

<Processing>

Next, key exchange processing which is performed after the terminal device 100-j leaves the key exchange system 3 will be described. The key exchange processing of the present embodiment includes Round1, Round2, Round3, and shared key generation. It is assumed that the keys-shared-between-two-parties H₁ ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R))=R_(i, (i mod n)+1) obtained by the processing of the first embodiment are stored in the storage 103-i (where i=1, . . . , n) of each terminal device 100-i (terminal device U_(i)) (FIG. 2).

<<Round1 (FIG. 15)>>

Terminal device 100-((j mod n)+1) (terminal device U_((j mod n)+1)):

The key pair generation unit 105-((j mod n)+1) of the terminal device 100-((j mod n)+1) (FIG. 2) generates a key pair (pk_((j mod n)+1), sk_((j mod n)+1)) consisting of a key capsule decryption key sk_((j mod n)+1), which conforms to post-quantum cryptography of the public key cryptosystem, and a key encryption key pk_((j mod n)+1) corresponding to the key capsule decryption key sk_((j mod n)+1). The generated key capsule decryption key sk_((j mod n)+1) and key encryption key pk_((j mod n)+1) are stored in the storage 103-((j mod n)+1). Moreover, the key encryption key pk_((j mod n)+1) is output from the output unit 102-((j mod n)+1) and transmitted to the key distribution management device 150.

The key encryption key pk_((j mod n)+1) is input to the input unit 151 of the key distribution management device 150 (FIG. 3). As soon as the key encryption key pk_((j mod n)+1) is input to the input unit 151, the control unit 154 sends the key encryption key pk_((j mod n)+1) to the output unit 152 and the output unit 152 transmits the key encryption key pk_((j mod n)+1) to a terminal device 100-((j−2 mod n)+1).

<<Round2 (FIG. 16)>>

Terminal device 100-((j−2 mod n)+1) (terminal device U_((j−2 mod n)+1)):

The input unit 101-((j−2 mod n)+1) of the terminal device 100-((j−2 mod n)+1) (FIG. 2) receives the key encryption key pk_((j mod n)+1) and stores the key encryption key pk_((j mod n)+1) in the storage 103-((j−2 mod n)+1).

The random number setting unit 106-((j−2 mod n)+1) of the terminal device 100-((j−2 mod n)+1) sets a random number k_((j−2 mod n)+1) and outputs the random number k_((j−2 mod n)+1). The random number k_((j−2 mod n)+1) is stored in the storage 103-((j−2 mod n)+1).

The key-shared-between-two-parties generation unit 107-((j−2 mod n)+1) obtains, using the key encryption key pk_((j mod n)+1), a key-shared-between-two-parties R_((j−2 mod n)+1), R_((j mod n)+1, (j mod n)+1) and a key capsule C_((j−2 mod n)+1, (j mod n)+1), which is cipher text of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1), and outputs the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and the key capsule C_((j−2 mod n)+1, (j mod n)+1). The key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) is stored in the storage 103-((j−2 mod n)+1). The key capsule C_((j−2 mod n)+1, (j mod n)+1) is output from the output unit 102-((j−2 mod n)+1) and transmitted to the key distribution management device 150.

Terminal device 100-y (terminal device U_(y)) (y=1, . . . , n, y≠j, and y≠(j−2) mod n+1):

The random number setting unit 106-y of the terminal device 100-y sets a random number k_(y) and outputs the random number k_(y). The random number k_(y) is stored in the storage 103-y. Here, y=1, . . . , n, y≠j, and y≠(j−2) mod n+1.

The input unit 151 of the key distribution management device 150 (FIG. 3) receives the key capsule C_((j−2 mod n)+1, (j mod n)+1) transmitted from the terminal device 100-((j−2 mod n)+1). The SID setting unit 155 newly generates sid and chooses the terminal device 100-((j−2 mod n)+1) as a representative terminal device. The arithmetic unit 153 generates (sid, C_((j−2 mod n)+1, (j mod n)+1)). (sid, C_((j−2 mod n)+1, (j mod n)+1)) is output from the output unit 152 and transmitted to the terminal device 100-((j−2 mod n)+1). The output unit 152 transmits, to the terminal device 100-((j−2 mod n)+1), information (notification about being chosen as a representative) indicating that the terminal device 100-((j−2 mod n)+1) has been chosen as a representative terminal device. Furthermore, sid is output from the output unit 152 and transmitted to a terminal device 100-φ. Here, φ=1, . . . , n, φ≠j, and x≠(φ mod n)+1.

<<Round3 (FIG. 17)>>

The terminal device 100-(j−1) (terminal device the terminal device 100-(j+1) (terminal device U_(j+1)), and a terminal device 100-x (terminal device U_(x)) perform different processing in Round3 of the present embodiment. Here, x=1, . . . , n, x≠j, x≠(j−2 mod n)+1, and x (j mod n)+1.

Terminal device 100-((j−2 mod n)+1) (terminal device U_(j−2 mod n)+)1):

The function operation unit 109-((j−2 mod n)+1) reads a key-shared-between-two-parties H_((j−2 mod n)+1) ^((L))=R_((j−3 mod n)+1, (j−2 mod n)+1) from the storage 103-((j−2 mod n)+1), and obtains a function value K_((j−2 mod n)+1) ^((L)) of the key-shared-between-two-parties H_((j−2 mod n)+1) ^((L)) and outputs the function value K_((j−2 mod n)+1) ^((L)). The function value K_((j−2 mod n)+1) ^((L)) may be a value that depends only on the key-shared-between-two-parties H_((j−2 mod n)+1) ^((L)) or a value that depends on the key-shared-between-two-parties H_((j−2 mod n)+1) ^((L)) and another piece of additional information. Here, K_((j−2 mod n)+1) ^((L))=K_((j−3 mod n)+1) ^((R)) has to be satisfied. For instance, the function operation unit 109-n obtains the function value K _((j−2 mod n)+1) ^((L)) =F(sid, H _((j−2 mod n)+1) ^((L))) =F(sid, R _((j−3 mod n)+1, (j−2 mod n)+1)) that depends on the key-shared-between-two-parties H_((j−2 mod n)+1) ^((L))=R_((j−3 mod n)+1, (j−2 mod n)+1) and sid and outputs the function value K_((j−2 mod n)+1) ^((L)). The function value K_((j−2 mod n)+1) ^((L)) is stored in the storage 103-((j−2 mod n)+1).

The function operation unit 109-((j−2 mod n)+1) reads a key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) from the storage 103-((j−2 mod n)+1), and obtains a function value K_((j−2 mod n)+1) ^((R)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and outputs the function value K_((j−2 mod n)+1) ^((R)). The function value K_((j−2 mod n)+1) ^((R)) may be a value that depends only on the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) or a value that depends on the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and another piece of additional information. Here, K_((j−2 mod n)+1) ^((R))=K_((j mod n)+1) ^((L)) has to be satisfied. For instance, the function operation unit 109-((j−2 mod n)+1) obtains the function value K _((j−2 mod n)+1) ^((R)) =F(sid,R _((j−2 mod n)+1, (j mod n)+1)) that depends on the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and sid and outputs the function value K_((j−2 mod n)+1) ^((R)). The function value K_((j−2 mod n)+1) ^((R)) is stored in the storage 103-((j−2 mod n)+1).

The function value K_((j−2 mod n)+1) ^((L)) and the function value K_((j−2 mod n)+1) ^((R)) are input to the XOR unit 110-((j−2 mod n)+1). The XOR unit 110-((j−2 mod n)+1) obtains the XOR T _((j−2 mod n)+1) =K _((j−2 mod n)+1) ^((L))(+)K _((j−2 mod n)+1) ^((R)) of the function value K_((j−2 mod n)+1) ^((L)) and the function value K_((j−2 mod n)+1) ^((R)) and outputs the XOR T_((j−2 mod n)+1).

The random number k_((j−2 mod n)+1) read from the storage 103-((j−2 mod n)+1) is further input to the XOR unit 110-((j−2 mod n)+1). The XOR unit 110-((j−2 mod n)+1) obtains the XOR T′=B(k _((j−2 mod n)+1))(+)K _((j−2 mod n)+1) ^((L)) of a function value B(k_((j−2 mod n)+1)) of the random number k_((j−2 mod n)+1) and the function value K_((j−2 mod n)+1) ^((L)) and outputs the XOR T′. An example of the function value B(k_((j−2 mod n)+1)) is bit concatenation k_((j−2 mod n)+1)|β of the random number k_((j−2 mod n)+1) and another piece of additional information β.

The XOR T_((j−2 mod n)+1) and the XOR T′ are output from the output unit 102-((j−2 mod n)+1) and transmitted to the key distribution management device 150.

Terminal device 100-((j mod n)+1) (terminal device U_((j mod n)+1)):

(sid, C_((j−2 mod n)+1, (j mod n)+1)) is input to the input unit 101-((j mod n)+1) of the terminal device 100-((j mod n)+1).

The decryption unit 108-((j mod n)+1) obtains the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) by decrypting the key capsule C_((j−2 mod n)+1, (j mod n)+1) using the key capsule decryption key sk_((j mod n)+1) read from the storage 103-((j mod n)+1) and outputs the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1). The key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) is stored in the storage 103-((j mod n)+1).

The function operation unit 109-((j mod n)+1) obtains a function value K_((j mod n)+1) ^((L)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and outputs the function value K_((j mod n)+1) ^((L)). The function value K_((j mod n)+1) ^((L)) may be a value that depends only on the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) or a value that depends on the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and another piece of additional information. Here, K_((j mod n)+1) ^((L))=K_((j−2 mod n)+1) ^((R)) has to be satisfied. For instance, the function operation unit 109-((j mod n)+1) obtains the function value K _((j mod n)+1) ^((L)) =F(sid,R _((j−2 mod n)+1, (j mod n)+1))

that depends on the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and sid and outputs the function value K_((j mod n)+1) ^((L)). The function value K_((j mod n)+1) ^((L)) is stored in the storage 103-((j mod n)+1).

The function operation unit 109-((j mod n)+1) reads a key-shared-between-two-parties H_((j mod n)+1) ^((R))=R_((j mod n)+1, (j+1 mod n)+1) from the storage 103-((j mod n)+1), and obtains a function value K_((j mod n)+1) ^((R)) of the key-shared-between-two-parties H_((j mod n)+1) ^((R)) and outputs the function value K_((j mod n)+1) ^((R)). The function value K_((j mod n)+1) ^((R)) may be a value that depends only on the key-shared-between-two-parties H_((j mod n)+1) ^((R)) or a value that depends on the key-shared-between-two-parties H_((j mod n)+1) ^((R)) and another piece of additional information. Here, K_((j mod n)+1) ^((R))=K_((j+1 mod n)+1) ^((L)) has to be satisfied. For instance, the function operation unit 109-((j mod n)+1) obtains the function value K _((j mod n)+1) ^((R)) =F(sid, H _((j mod n)+1) ^((R))) =F(sid, R _((j mod n)+1, j+1 mod n)+1)) that depends on the key-shared-between-two-parties H_((j mod n)+1) ^((R)) and sid and outputs the function value K_((j mod n)+1) ^((R)). The function value K_((j mod n)+1) ^((R)) is stored in the storage 103-((j mod n)+1).

The function value K_((j mod n)+1) ^((L)) and the function value K_((j mod n)+1) ^((R)) are input to the XOR unit 110-((j mod n)+1). The XOR unit 110-((j mod n)+1) obtains the XOR T _((j mod n)+1) =K _((j mod n)+1) ^((L))(+)K _((j mod n)+1) ^((R)) of the function value K_((j mod n)+1) ^((L)) and the function value K_((j mod n)+1) ^((R)) and outputs the XOR T_((j mod n)+1).

A random number k_((j mod n)+1) and the XOR T_((j mod n)+1) are output from the output unit 102-((j mod n)+1) and transmitted to the key distribution management device 150.

Terminal device 100-x (terminal device U_(x)) (x=1, . . . , n, x≠j, x≠(j−2 mod n)+1, and x≠(j mod n)+1):

The function operation unit 109-x reads a key-shared-between-two-parties H_(x) ^((L))=R_((x−2 mod n)+1, x) from the storage 103-x, and obtains a function value K_(x) ^((l)) of the key-shared-between-two-parties H_(x) ^((L)) and outputs the function value K_(x) ^((L)). The function value K_(x) ^((L)) may be a value that depends only on the key-shared-between-two-parties H_(x) ^((L)) or a value that depends on the key-shared-between-two-parties H_(x) ^((L)) and another piece of additional information. Here, K_(x) ^((L))=K_((x−2 mod n)+1) ^((R)) has to be satisfied. For instance, the function operation unit 109-x obtains the function value K _(x) ^((L)) =F(sid,H _(x) ^((L)))=F(sid, R _((x−2 mod n)+1, x)) that depends on the key-shared-between-two-parties H_(x) ^((L)) and sid and outputs the function value K_(x) ^((L)). The function value K_(x) ^((L)) is stored in the storage 103-x.

The function operation unit 109-x reads a key-shared-between-two-parties H_(x) ^((R))=R_(x, (x mod n)+1) from the storage 103-x, and obtains a function value K_(x) ^((R)) of the key-shared-between-two-parties H_(x) ^((R)) and outputs the function value K_(x) ^((R)). The function value K_(x) ^((R)) may be a value that depends only on the key-shared-between-two-parties H_(x) ^((R)) or a value that depends on the key-shared-between-two-parties H_(x) ^((R)) and another piece of additional information. Here, K_(x) ^((R))=K_((x mod n)+1) ^((L)) has to be satisfied. For instance, the function operation unit 109-x obtains the function value K _(x) ^((R)) =F(sid,H _(x) ^((R)))=F(sid, R _(x, (x mod n)+1)) that depends on the key-shared-between-two-parties H_(x) ^((R)) and sid and outputs the function value K_(x) ^((R)). The function value K_(x) ^((R)) is stored in the storage 103-x.

The function value K_(x) ^((L)) and the function value K_(x) ^((R)) are input to the XOR unit 110-x. The XOR unit 110-x obtains the XOR T _(x) =K _(x) ^((L))(+)K _(x) ^((R)) of the function value K_(x) ^((L)) and the function value K_(x) ^((R)) and outputs the XOR T_(x).

A random number k_(x) read from the storage 103-x and the XOR T_(x) are output from the output unit 102-x and transmitted to the key distribution management device 150.

The XORs T₁, . . . , T_(n+1) (excluding T_(j)) and T′ and random numbers K₁, . . . , k_(n) (excluding k_(j) and k_(j+1)) are input to the input unit 151 of the key distribution management device 150 (FIG. 3) and stored in the storage 157. The XOR unit 156 obtains the XOR k′ of a plurality of values including the random numbers k₁, . . . , k_(n), (excluding k_(j) and k_(j+1)) read from the storage 157 and outputs the XOR k′. The XOR k′ may be the XOR of the random numbers k₁, . . . , k_(n) (excluding k_(j) and k_(j+1)) or the XOR of the random numbers k₁, . . . , k_(n), (excluding k_(j) and k_(j+n)) and another additional value. For example, the arithmetic unit 153 generates a random number k_(s), and the XOR unit 156 obtains the XOR k′=k ₁(+) . . . (+)k _(j−1)(+)k _(j+2)(+) . . . (+)k _(n)(+)k _(s) of the random numbers k₁, . . . , k_(n), (excluding k_(j) and k_(j+1)) and k_(s) and outputs the XOR k′.

Moreover, for y=1, . . . , n (where y≠j and y≠(j−2 mod n)+1), the XOR unit 156 obtains, when y<j−1, the XOR T_(y)′ of the XORs T₁, . . . , T_(y−1) and T_(j−1), . . . , T_(n) and outputs the XOR T_(y)′ and obtains, when j+1≤y, the XOR T_(y)′ of the XORs T_(j−1), . . . , T_(y−1) and outputs the XOR T_(y)′.

-   When y<j−1: T_(y)′=T₁(+) . . . (+)T_(y−1)(+)T_(j−1)(+) . . .     (+)T_(n) -   When j+1≤y: T_(y)′=T_(j−1)(+) . . . (+)T_(y−1)

The output unit 152 transmits the XOR k′ to the terminal device 100-((j−2 mod n)+1) and transmits the XORs T′, k′, and T_(y)′ to the terminal device 100-y (where y≠j and y≠(j−2) mod n+1).

<<Shared key generation (FIG. 18)>>

The terminal device 100-(j−1) (terminal device U_(j−1)) and the terminal device 100-y (terminal device U_(y)) (where y≠j and y≠(j−2 mod n)+1) perform different processing in shared key generation. In the terminal device 100-j (terminal device U_(j)) that has left the system, shared key generation is not performed.

Terminal device 100-y (terminal device U_(y)):

The XORs T′, k′, and T_(y)′ are input to the input unit 101-y of the terminal device 100-y. The function value reconstruction unit 111-y obtains the function value K_((j−2 mod n)+1) ^((L)) by XORing the XOR T_(y)′ with a function value K_(y) ^((L)) read from the storage 103-y and outputs the function value K_(i−2 mod n)+1) ^((L)).

The random number reconstruction unit 113-y obtains the function value B(k_((j−2 mod n)+1)) of the random number k_((j−2 mod n)+1) by XORing the XOR T′ with the function value K_((j−2 mod n)+1) ^((L)) and outputs the function value B(k_((j−2 mod n)+1)). The reason why the function value B(k_((j−2 mod n)+1)) is obtained is as follows. T′(+)K _((j−2 mod n)+1) ^((L)) =B(k _(j−2 mod n)+1))(+)K _((j−2 mod n)+1) ^((L))(+)i K _((j−2 mod n)+1) ^((L)) =B(k _((j−2 mod n)+1))

The shared key generation unit 112-y extracts the random number k_((j−2 mod n)+1) from the function value B(k_((j−2 mod n)+1)) (for example, B(k_(j−2 mod n)+)1)=k_((j−2 mod n)+1)|β), and obtains a function value of the XOR k′(+)k_((j−2 mod n)+1) of the XOR k′ and the random number k_((j−2 mod n)+1) obtained from the function value B(k_(j−2 mod n)+1)) as a shared key SK=F′(k′(+)k _(j−2 mod n)+1) and outputs the shared key SK.

Terminal device 100-(j−1) (terminal device U_(j−1)):

The XOR k′ is input to the input unit 101-(j−1) of the terminal device 100-(j−1). The shared key generation unit 112-(j−1) obtains a function to value of the XOR k′(+)k_((j−2 mod n)+1) of the XOR k′ and the random number k_((j−2 mod n)+1) read from the storage 103-(j−1) as the shared key SK=F′(+)k _((j−2 mod n)+1) and outputs the shared key SK.

In the storage 103-i (where i=1, . . . , n and i≠j) of each terminal device 100-i (terminal device U_(i)) the function value r=F″(SK) updated by using the new shared key SK and the keys-shared-between-two-parties H_(i) ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R))=R_(i, (i mod n)+1) are stored.

<Features of the Present Embodiment>

In the present embodiment, the key capsule-type key exchange between two parties is adopted, which makes it possible to perform a key exchange between two parties which conforms to post-quantum cryptography of the public key cryptosystem. By performing the above-described processing using this key exchange, after an arbitrary terminal device leaves the system, a quantum-safe multiparty key exchange can be performed among the other terminal devices. Moreover, by reusing the keys-shared-between-two-parties H_(i) ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R))=R_(i, (i mod n)+1) obtained by the processing of the first embodiment, it is possible to reduce the amount of computation and the communication volume.

Embodiments

When lattice-based cryptography is used as post-quantum cryptography, a key capsule decryption key sky described in each embodiment is a vector s_(ν) consisting of κ₁(ν) integers and a key encryption key pk_(ν) is b_(ν)=A_(ν)s_(ν)+e_(ν). Moreover, a key capsule C_(ν, (ν mod μ)+1) is {γ_(ν), ξ_(ν)′}, and a key-shared-between-two-parties R_(ν, (ν mod μ)+1) is ROUND (2ξ_(ν) ⁻/q). Here, A_(ν) is a κ₁(ν)×κ₂(ν) basis matrix, κ₁(ν) and κ₂(ν) are positive integers, ν and μ are positive integers, and e_(ν) is a vector consisting of κ₂(ν) elements. γ_(ν)=A_(ν)s_(ν)′+e_(ν)′ and is floor(4ξ_(ν) ⁻/q)mod2. s_(ν)′ is a vector (for example, a vector randomly selected in accordance with the normal distribution) consisting of κ₁(ν) integers and e_(ν)′ and e_(ν)″ are each a vector (for example, a vector randomly selected in accordance with the normal distribution) consisting of κ₂(ν) elements. ξ_(ν)=b_((ν mod μ)+1)s_(ν)′+e_(ν)″ and ξ_(ν) ⁻ is a random function value of ξ_(ν) (a value obtained by applying ξ_(ν) to a random function). q is an integer greater than or equal to 2, floor is a floor function, and ROUND is a round-off function.

Each terminal device may generate, using a publicly known commitment algorithm (for example, Reference Literature 3), a commitment using a random number k_(i), and a commitment and output the commitment along with a key capsule of a key-shared-between-two-parties. sid may be a function value of the commitment output from each terminal device. Each terminal device may generate an authentication code of each piece of information and output the authentication code, and the authentication code may be verified in another terminal device or a key distribution management device. A shared key SK may be a function value that further depends on sid. A shared key SK may be a function value that further depends on a decrypted value of cipher text obtained based on an attribute-based algorithm (Reference Literature 2). sid may be omitted.

Reference Literature 3 (commitment algorithm): Fabrice Benhamouda, Stephan Krenn, Vadim Lyubashevsky, Krzysztof Pietrzak, “Efficient Zero-Knowledge Proofs for Commitments from Learning With Errors over Rings,” In: ESORICS: European Symposium on Research in Computer Security, Sep. 21-25, 2015.

Other Modifications

It is to be noted that the present invention is not limited to the foregoing embodiments. For example, the above-described various kinds of processing may be executed, in addition to being executed in chronological order in accordance with the descriptions, in parallel or individually depending on the processing power of a device that executes the processing or when necessary. In addition, it goes without saying that changes may be made as appropriate without departing from the spirit of the present invention.

The above-described each device is embodied by execution of a predetermined program by a general- or special-purpose computer having a processor (hardware processor) such as a central processing unit (CPU), memories such as random-access memory (RAM) and read-only memory (ROM), and the like, for example. The computer may have one processor and one memory or have multiple processors and memories. The program may be installed on the computer or pre-recorded on the ROM and the like. Also, some or all of the processing units may be embodied using an electronic circuit that implements processing functions without using programs, rather than an electronic circuit (circuitry) that implements functional components by loading of programs like a CPU. An electronic circuit constituting a single device may include multiple CPUs.

When the above-described configurations are implemented by a computer, the processing details of the functions supposed to be provided in each device are described by a program. As a result of this program being executed by the computer, the above-described processing functions are implemented on the computer. The program describing the processing details can be recorded on a computer-readable recording medium. An example of the computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium include a magnetic recording device, an optical disk, a magneto-optical recording medium, and semiconductor memory.

The distribution of this program is performed by, for example, selling, transferring, or lending a portable recording medium such as a DVD or a CD-ROM on which the program is recorded. Furthermore, a configuration may be adopted in which this program is distributed by storing the program in a storage device of a server computer and transferring the program to other computers from the server computer via a network.

The computer that executes such a program first, for example, temporarily stores the program recorded on the portable recording medium or the program transferred from the server computer in a storage device thereof. At the time of execution of processing, the computer reads the program stored in the storage device thereof and executes the processing in accordance with the read program. As another mode of execution of this program, the computer may read the program directly from the portable recording medium and execute the processing in accordance with the program and, furthermore, every time the program is transferred to the computer from the server computer, the computer may sequentially execute the processing in accordance with the received program. A configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition.

Instead of executing a predetermined program on the computer to implement the processing functions of the present devices, at least some of the processing functions may be implemented by hardware.

INDUSTRIAL APPLICABILITY

The multiparty key exchange technique of the present invention can be used in, for example, applications using cryptography. For instance, the multiparty key exchange technique of the present invention can be used in encryption of data that can be accessed by more than one person, encryption of data that is exchanged in multiparty communication, and shared key exchange (sharing) processing that is used in various practical applications such as multiparty electronic signature and signature verification, electronic voting, and electronic money.

DESCRIPTION OF REFERENCE NUMERALS

1 to 3 key exchange system

100-1 to 100-(n+1) terminal device 

What is claimed is:
 1. A key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising: terminal devices U₁, . . . , U_(n) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, v=2, . . . , n, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i), includes an i-th storage that stores a key capsule decryption key sk_(i) which conforms to the post-quantum cryptography of the public key cryptosystem, an i-th output unit that outputs a key encryption key pk_(i) corresponding to the key capsule decryption key sk_(i) in order to transmit the key encryption key pk_(i) to a terminal device U_((i−2 mod n)+1), an i-th input unit that accepts a key encryption key pk_((i mod n)+1) which conforms to the post-quantum cryptography and is output from a terminal device U_((i mod n)+1), an i-th random number setting unit that sets a random number k_(i), an i-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_((i mod n)+1), a key-shared-between-two-parties R_((i mod n)+1) and a key capsule C_(i, (i mod n)+1) which is cipher text of the key-shared-between-two-parties R_(i, (i mod n)+1), and the i-th output unit that outputs the key capsule C_(i(i mod n)+1) in order to transmit the key capsule C_(i, (i mod n)+1) to the terminal device U_((i mod n)+1), the i-th input unit accepts a key capsule C_((i−2 mod n)+1, i) which is output from the terminal device U_((i−2 mod n)+1), the terminal device U₁ includes a first decryption unit that generates a key-shared-between-two-parties R_(n, 1) by decrypting a key capsule C_(n, 1) using a key capsule decryption key sk₁, a first function operation unit that generates a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n, 1) and generates a function value K₁ ^((R)) of a key-shared-between-two-parties R_(1, 2), a first XOR unit that generates an XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)) and generates an XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and a first output unit that outputs the XORs T₁ and T′ to the key distribution management device, a terminal device U_(v) includes a v-th decryption unit that generates a key-shared-between-two-parties R_((v−2 mod n)+1, v) by decrypting a key capsule C_((v−2 mod n)+1, v) using a key capsule decryption key sk_(v), a v-th function operation unit that generates a function value K_(v) ^((L)) of the key-shared-between-two-parties R_((v−2 mod n)+1, v) and generates a function value K_(v) ^((R)) of a key-shared-between-two-parties R_(v, (v mod n)+1), a v-th XOR unit that generates an XOR T_(v) of the function value K_(v) ^((L)) and the function value K_(v) ^((R)), and a v-th output unit that outputs a random number k_(v) and the XOR T_(v) to the key distribution management device, the key distribution management device includes an XOR unit that generates an XOR k′ of a plurality of values including random numbers k₂, . . . , k_(n) and generates an XOR T_(v)′ of XORs T₁, . . . , T_(v−1), and outputs the XOR k′ to the terminal device U₁ and outputs the XORs T′, k′ and T_(v)′ to the terminal device U_(v), the terminal device U₁ includes a first shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as a shared key SK, and the terminal device U_(v) includes a v-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing the XOR T_(v)′ with the function value K_(v) ^((L)), a v-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and a v-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK.
 2. A key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising: terminal devices U₁, . . . , U_(n+1) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, v=2, . . . , n, w=2, . . . , n+1, z=2, . . . , n−1, ρ=1, . . . , n−1, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i) includes an i-th storage that stores a function value r, the terminal device U₁ includes a first storage that stores a key capsule decryption key sk₁ which conforms to the post-quantum cryptography of the public key cryptosystem, and a first output unit that outputs a key encryption key pk₁ corresponding to the key capsule decryption key sk₁ in order to transmit the key encryption key pk₁ to the terminal device U_(n+1), the terminal device U_(n+1) includes an (n+1)-th storage that stores a key capsule decryption key sk_(n+1) which conforms to the post-quantum cryptography, and an (n+1)-th output unit that outputs a key encryption key pk_(n+1) corresponding to the key capsule decryption key sk_(n+1) in order to transmit the key pk_(n+1) to a terminal device U_(n), the terminal device U_(n) includes an n-th input unit that accepts the key encryption key pk_(n+1) which is output from the terminal device U_(n+1), an n-th random number setting unit that sets a random number k_(n), an n-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_(n+1), a key-shared-between-two-parties R_(n, n+1) and a key capsule C_(n, n+1) which is cipher text of the key-shared-between-two-parties R_(n, n+1), and an n-th output unit that outputs the key capsule C_(n, n|1) in order to transmit the key capsule C_(n, n+1) to the terminal device U_(n+1), the terminal device U_(n+1) includes an (n+1)-th input unit that accepts the key encryption key pk₁ which is output from the terminal device U₁, an (n+1)-th random number setting unit that sets a random number k_(n+1), an (n+1)-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk₁, a key-shared-between-two-parties R_(n+1, 1) and a key capsule C_(n+1, 1), which is cipher text of the key-shared-between-two-parties R_(n+1, 1), the (n+1)-th output unit that outputs the key capsule C_(n+1, 1) in order to transmit the key capsule C_(n+1, 1) to the terminal device U₁, and the (n+1)-th input unit that accepts the key capsule C_(n, n+1) which is output from the terminal device U_(n), a terminal device U_(ρ) includes a ρ-th random number setting unit that sets a random number k_(ρ), the terminal device U₁ includes a first input unit that accepts the key capsule C_(n+1, 1) which is output from the terminal device U_(n+1), a first decryption unit that generates the key-shared-between-two-parties R_(n|1, 1) by decrypting the key capsule C_(n+1, 1) using the key capsule decryption key sk₁, a first function operation unit that generates a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n+1, 1) and generates a function value K₁ ^((R)) of the function value r, a first XOR unit that generates an XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)) and generates an XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and the first output unit that outputs the XORs T₁ and T′ to the key distribution management device, the terminal device U_(n) includes an n-th function operation unit that generates a function value K_(n) ^((L)) of the function value r and generates a function value K_(n) ^((R)) of the key-shared-between-two-parties R_(n, n+)1, an n-th XOR unit that generates an XOR T_(n) of the function value K_(n) ^((L)) and the function value K_(n) ^((R)), and the n-th output unit that outputs a random number k_(n) and the XOR T_(n) to the key distribution management device, the terminal device U_(n+1) includes an (n+1)-th decryption unit that generates the key-shared-between-two-parties R_(n, n+1) by decrypting the key capsule C_(n, n+1) using a key capsule decryption key sk_(n+1), an (n+1)-th function operation unit that generates a function value K_(n|1) ^((L)) of the key-shared-between-two-parties R_(n, n+1) and generates a function value K_(n+1) ^((R)) of the key-shared-between-two-parties R_(n+1, 1), an (n+1)-th XOR unit that generates an XOR T_(n+1) of the function value K_(n+1) ^((L)) and the function value K_(n+1) ^((R)), and the (n+1)-th output unit that outputs a random number k_(n+1) and the XOR T_(n+1) to the key distribution management device, a terminal device U_(z) includes a z-th output unit that outputs a random number k_(z) to the key distribution management device, the key distribution management device includes an XOR unit that generates an XOR k′ of a plurality of values including random numbers k₂, . . . , k_(n+1) and generates an XOR T_(w)′ of XORs T₁, . . . , T_(w−1), of which XORs T₂, . . . , T_(n−1) are nulls, and outputs the XOR k′ to the terminal device U₁ and outputs the XORs T′, k′ and T_(w)′ to the terminal device U_(w), the terminal device U₁ includes a first shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as a shared key SK, the terminal device U_(n) includes an n-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(n)′ with a function value K_(n) ^((L)), an n-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and an n-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK, the terminal device U_(n+1) includes an (n+1)-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(n+1)′ with a function value K_(n+1) ^((L)), an (n+1)-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and an (n+1)-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as the shared key SK, and the terminal device U_(ρ) includes a ρ-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(ρ)′ with the function value K₁ ^((R)) of the function value r, a ρ-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and a ρ-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as the shared key SK.
 3. A key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising: terminal devices U₁, . . . , U_(n) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, j is an integer greater than or equal to 1 and less than or equal to n, y=1, . . . , n, y≠j, y≠(j−2 mod n)+1, x=1, . . . , n, x≠j, x≠(j−2 mod n)+1, x≠(j mod n)+1, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i) includes an i-th storage that stores keys-shared-between-two-parties H_(i) ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R))=R_(i, i mod n)+1), a terminal device U_((i mod n)+1) includes a (j+1)-th storage that stores a key capsule decryption key sk_((j mod n)+1) which conforms to the post-quantum cryptography of the public key cryptosystem, and a (j+1)-th output unit that outputs a key encryption key pk_((j mod n)+1) corresponding to the key capsule decryption key sk_((j mod n)+1) in order to transmit the key capsule decryption key sk_((j mod n)+1) to a terminal device U_((j−2 mod n)+1), the terminal device U_((j−2 mod n)+1) includes a (j−1)-th input unit that accepts the key encryption key pk_((j mod n)+1) which is output from the terminal device U_((j mod n)+1), a (j−1)-th random number setting unit that sets a random number k_((j−2 mod n)+1), a (j−1)-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_((j mod n)+1), a key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and a key capsule C_((j−2 mod n)+1, (j mod n)+1) which is cipher text of the key-shared-between-two-parties R_((j−2 mod n)|1, (j mod n)|1), and a (j−1)-th output unit that outputs the key capsule C_((j−2 mod n)+1, (j mod n)+1) in order to transmit the key capsule C_((j−2 mod n)+1, (j mod n)+1) to the terminal device U_((j mod n)+1), a terminal device U_(y) includes a y-th random number setting unit that sets a random number k_(y), the terminal device U_((j mod n)+1) includes a (j+1)-th input unit that accepts the key capsule C_(j−2 mod n)+1, (j mod n)+1) which is output from the terminal device U_((j−2 mod n)+1), the terminal device U_((j−2 mod n)+1) includes a (j−1)-th function operation unit that generates a function value K_((j−2 mod n)+1) ^((L)) of a key-shared-between-two-parties H_((j−2 mod n)|1) ^((L)) and generates a function value K_((j−2 mod n)+1) ^((R)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1), a (j−1)-th XOR unit that generates an XOR T_((j−2 mod n)+1) of the function value K_((j−2 mod n)+1) ^((L)) and the function value K_((j−2 mod n)+1) ^((R)) and generates an XOR T′ of a function value of a random number k_((j−2 mod n)+1) and the function value K_((j−2 mod n)+1) ^((L)), and the (j−1)-th output unit that outputs the XOR T_((j−2 mod n)+1) and the XOR T′ to the key distribution management device, the terminal device U_((j mod n)+1) includes a (j+1)-th decryption unit that generates the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) by decrypting the key capsule C_((j−2 mod n)+1, (j mod n)+1) using a key capsule decryption key sk_((j mod n)+1), a (j+1)-th function operation unit that generates a function value K_((jmod n)|1) ^((L)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and generates a function value K_((j mod n)+1) ^((R)) of a key-shared-between-two-parties H_((j mod n)+1) ^((R)), a (j+1)-th XOR unit that generates an XOR T_((j mod n)+1) of the function value K_((j mod n)+1) ^((L)) and the function value K_((j mod n)) ^((R)), and the (j+1)-th output unit that outputs a random number k_((j mod n)+1) and the XOR T_((j mod n)+1) to the key distribution management device, a terminal device U_(X) includes an x-th function operation unit that generates a function value K_(x) ^((L)) of a key-shared-between-two-parties H_(x) ^((L)) and generates a function value K_(x) ^((R)) of a key-shared-between-two-parties H_(x) ^((R)), an x-th XOR unit that generates an XOR T_(x) of the function value K_(x) ^((L)) and the function value K_(x) ^((R)), and an x-th output unit that outputs a random number k_(x) and the XOR T_(x) to the key distribution management device, the key distribution management device includes a k′ generation unit that generates an XOR k′ of a plurality of values including random numbers k₁, . . . , k_(n) (excluding k_(j) and k_(j+1)) and outputs the XOR k′, and an XOR unit that generates, when y<j−1, an XOR T_(y)′ of XORs T₁, . . . , T_(y−1) and T_(j−1), . . . , T_(n) and outputs the XOR T_(y)′ and generates, when j+1≤i, an XOR T_(y)′ of XORs T_(j−1), . . . , T_(y−1) and outputs the XOR T_(y)′, the terminal device U_(y) includes a y-th function value reconstruction unit that generates the function value K_((j−2 mod n)+1) ^((L)) by XORing the XOR T_(y)′ with a function value K_(y) ^((L)), a y-th random number reconstruction unit that generates the function value of the random number k_((j−2 mod n)+1) by XORing the XOR T′ with the function value K_((j−2 mod n)+1) ^((L)), and a y-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k_((j−2 mod n)+1), which is obtained from the function value of the random number k_((j−2 mod n)+1), as a shared key SK, and a terminal device U_(j−1) includes a (j−1)-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k_((j−2 mod n)+1) as the shared key SK.
 4. The key exchange system according to any one of claims 1 to 3, wherein the post-quantum cryptography is lattice-based cryptography, code-based cryptography, or multivariate encryption scheme.
 5. The key exchange system according to any one of claims 1 to 3, wherein κ₁(ν) and κ₂(ν) are positive integers, A_(ν)is a κ₁(ν)×κ₂(ν) basis matrix, ν and μ are positive integers, and e_(ν)is a vector consisting of κ₂(ν) elements, a key capsule decryption key sk_(ν)is a vector s_(ν) consisting of κ₁ (ν) integers, a key encryption key pk_(ν)is b_(ν)=A_(ν)s_(ν)+e_(ν), a key capsule C_(ν, (ν mod μ)+1) is {γ_(ν), ξ_(ν)′} and a key-shared-between-two-parties R_(ν, (ν mod μ)+1) is ROUND (2ξ_(ν) ⁻/q), and γ_(ν)=A_(ν)s_(ν)′+e_(ν)′, ξ_(ν)′ is floor (4ξ_(ν) ⁻/q) mod 2, s_(ν)′ is a vector consisting of κ₁(ν) integers, e_(ν)′ and e_(ν)″ are each a vector consisting of κ₂(ν) elements, ξ_(ν)=b_((ν mod μ)+1)s_(ν)′+e_(ν)″, ξ_(ν) ⁻is a random function value of ξ_(ν), q is an integer greater than or equal to 2, floor is a floor function, and ROUND is a round-off function.
 6. A terminal device U_(i) of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising terminal devices U₁, . . . , U_(n) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, v=2, . . . , n, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i) includes an i-th storage that stores a key capsule decryption key sk_(i) which conforms to the post-quantum cryptography of the public key cryptosystem, an i-th output unit that outputs a key encryption key pk_(i) corresponding to the key capsule decryption key sk_(i) in order to transmit the key encryption key pk_(i) to a terminal device U_((i−2 mod n)+1), an i-th input unit that accepts a key encryption key pk_((i mod n)+1) which conforms to the post-quantum cryptography and is output from a terminal device U_((i mod n)+1), an i-th random number setting unit that sets a random number k_(i), an i-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_((i mod n)+1), a key-shared-between-two-parties R_(i, (i mod n)+1) and a key capsule C_(i, (i mod n)+1) which is cipher text of the key-shared-between-two-parties R_(i, (i mod n)+1), and the i-th output unit that outputs the key capsule C_(i, (i mod n)+1) in order to transmit the key capsule C_(i, (i mod n)|1) to the terminal device U_((i mod n)|1), the i-th input unit accepts a key capsule C_((i−2 mod n)+1, i) which is output from the terminal device U_((i−2 mod n)+1), the terminal device U₁ includes a first decryption unit that generates a key-shared-between-two-parties R_(n, 1) by decrypting a key capsule C_(n, 1) using a key capsule decryption key sk₁, a first function operation unit that generates a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n, 1) and generates a function value K₁ ^((R)) of a key-shared-between-two-parties R_(1, 2), a first XOR unit that generates an XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)) and generates an XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and a first output unit that outputs the XORs T₁ and T′ to the key distribution management device, a terminal device U_(v) includes a v-th decryption unit that generates a key-shared-between-two-parties R_((v−2 mod n)+1, v) by decrypting a key capsule C_((v−2 mod n)+1, v) using a key capsule decryption key sk_(v), a v-th function operation unit that generates a function value K_(v) ^((L)) of the key-shared-between-two-parties R_((v−2 mod n)+1, v) and generates a function value K_(v) ^((R)) of a key-shared-between-two-parties R_(v, (v mod n)+1), a v-th XOR unit that generates an XOR T_(v) of the function value K_(v) ^((L)) and the function value K_(v) ^((R)), and a v-th output unit that outputs a random number k_(v) and the XOR T_(v) to the key distribution management device, the key distribution management device includes an XOR unit that generates an XOR k′ of a plurality of values including random numbers k₂, . . . , k_(n) and generates an XOR T_(v)′ of XORs T₁, . . . , T_(v−1), and outputs the XOR k′ to the terminal device U₁ and outputs the XORs T′, k′ and T_(v)′ to the terminal device U_(v), the terminal device U₁ includes a first shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as a shared key SK, and the terminal device U_(v) includes a v-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing the XOR T_(v)′ with the function value K_(v) ^((L)), a v-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and a v-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK.
 7. A terminal device U_(i″)of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising terminal devices U₁, . . . , U_(n+1) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i″=1, . . . , n+1, i=1, . . . , n, v=2, . . . , n, w=2, . . . , n+1, z=2, . . . , n−1, ρ=1, . . . , n−1, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i) includes an i-th storage that stores a function value r, the terminal device U₁ includes a first storage that stores a key capsule decryption key sk₁ which conforms to the post-quantum cryptography of the public key cryptosystem, and a first output unit that outputs a key encryption key pk₁ corresponding to the key capsule decryption key sk₁ in order to transmit the key encryption key pk₁ to the terminal device U_(n+1), the terminal device U_(n+1) includes an (n+1)-th storage that stores a key capsule decryption key sk_(n+1) which conforms to the post-quantum cryptography, and an (n+1)-th output unit that outputs a key encryption key pk_(n|1) corresponding to the key capsule decryption key sk_(n+1) in order to transmit the key encryption key pk_(n+1) to a terminal device U_(n), the terminal device U_(n) includes an n-th input unit that accepts the key encryption key pk_(n+1) which is output from the terminal device U_(n+1), an n-th random number setting unit that sets a random number k_(n), an n-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_(n+1) a key-shared-between-two-parties R_(n, n+1) and a key capsule C_(n, n+1) which is cipher text of the key-shared-between-two-parties R_(n, n+1), and an n-th output unit that outputs the key capsule C_(n, n+1) in order to transmit the key capsule C_(n, n+1) to the terminal device U_(n+1), the terminal device U_(n+1) includes an (n+1)-th input unit that accepts the key encryption key pk₁ which is output from the terminal device U₁, an (n+1)-th random number setting unit that sets a random number k_(n+1), an (n+1)-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk₁, a key-shared-between-two-parties R_(n|1, 1) and a key capsule C_(n+1, 1) which is cipher text of the key-shared-between-two-parties R_(n+1, 1), the (n+1)-th output unit that outputs the key capsule C_(n+1) in order to transmit the key capsule C_(n+1, 1) to the terminal device U₁, and the (n+1)-th input unit that accepts the key capsule C_(n, n+1) which is output from the terminal device U_(n), a terminal device U_(ρ) includes a ρ-th random number setting unit that sets a random number k_(ρ), the terminal device U₁ includes a first input unit that accepts the key capsule C_(n+1, 1) which is output from the terminal device U_(n+1), a first decryption unit that generates the key-shared-between-two-parties R_(n+1, 1) by decrypting the key capsule C_(n+1, 1) using the key capsule decryption key sk₁, a first function operation unit that generates a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n+1, 1) and generates a function value K₁ ^((R)) of the function value r, a first XOR unit that generates an XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)) and generates an XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and the first output unit that outputs the XORs T₁ and T′ to the key distribution management device, the terminal device U_(n) includes an n-th function operation unit that generates a function value K_(n) ^((L)) of the function value r and generates a function value K_(n) ^((R)) of the key-shared-between-two-parties R_(n, n+1), an n-th XOR unit that generates an XOR T_(n) of the function value K_(n) ^((L)) and the function value K_(n) ^((R)), and the n-th output unit that outputs a random number k_(n) and the XOR T_(n) to the key distribution management device, the terminal device U_(n+1) includes an (n+1)-th decryption unit that generates the key-shared-between-two-parties R_(n, n+1) by decrypting the key capsule C_(n, n+1) using a key capsule decryption key sk_(n+1), an (n+1)-th function operation unit that generates a function value K_(n+1) ^((L)) of the key-shared-between-two-parties R_(n, n+1) and generates a function value K_(n+1) ^((R)) of the key-shared-between-two-parties R_(n+1, 1), an (n+1)-th XOR unit that generates an XOR T_(n+1) of the function value K_(n|1) ^((L)) and the function value K_(n|1) ^((R)), and the (n+1)-th output unit that outputs a random number k_(n+1) and the XOR T_(n+1) to the key distribution management device, a terminal device U_(z) includes a z-th output unit that outputs a random number k_(z) to the key distribution management device, the key distribution management device includes an XOR unit that generates an XOR k′ of a plurality of values including random numbers k₂, . . . , k_(n+1) and generates an XOR T_(w)′ of XORs T₁, . . . , T_(w−1), of which XORs T₂, . . . , T_(n−1) are nulls, and outputs the XOR k′ to the terminal device U₁ and outputs the XORs T′, k′ and T_(w)′ to the terminal device U_(w), the terminal device U₁ includes a first shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as a shared key SK, the terminal device U_(n) includes an n-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(n)′ with a function value K₁ ^((L)), an n-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and an n-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK, the terminal device U_(n+1) includes an (n+1)-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(n+1)′ with a function value K_(n+1) ^((L)), an (n+1)-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and an (n+1)-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as the shared key SK, and the terminal device U_(ρ) includes a ρ-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(ρ)′ with the function value K₁ ^((R)) of the function value r, a ρ-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and a ρ-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as the shared key SK.
 8. A terminal device U_(i) of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising terminal devices U₁, . . . , U_(n) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, j is an integer greater than or equal to 1 and less than or equal to n, y=1, . . . , n, y≠j, y≠(j−2 mod n)+1, x=1, . . . , n, x≠j, x≠(j−2 mod n)+1, x≠(j mod n)+1, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i) includes an i-th storage that stores keys-shared-between-two-parties H_(i) ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R))=R_(i, (i mod n)=1), a terminal device U_((j mod n)+1) includes a (j+1)-th storage that stores a key capsule decryption key sk_((j mod n)+1) which conforms to the post-quantum cryptography of the public key cryptosystem, and a (j+1)-th output unit that outputs a key encryption key pk_((j mod n)+1) corresponding to the key capsule decryption key sk_((j mod n)+1) in order to transmit the key capsule decryption key sk_((j mod n)|1) to a terminal device U_((j−2 mod n)|1), the terminal device U_((j−2 mod n)+1) includes a (j−1)-th input unit that accepts the key encryption key pk_((j mod n)+1) which is output from the terminal device U_((j mod n)+1), a (j−1)-th random number setting unit that sets a random number k_((j−2 mod n)+1), a (j−1)-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_((j mod n)+1), a key-shared-between-two-parties R_((j−2 mod n)+1, (i mod n)+1) and a key capsule C_((j−2 mod n)+1, (j mod n)+1) which is cipher text of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1), and a (j−1)-th output unit that outputs the key capsule C_((j−2 mod n)+1, (j mod n)+1) in order to transmit the key capsule C_((j−2 mod n)+1, (j mod n)+1) to the terminal device U_((j mod n)+1,) a terminal device U_(y) includes a y-th random number setting unit that sets a random number k_(y), the terminal device U_((j mod n)+1) includes a (j+1)-th input unit that accepts the key capsule C_((j−2 mod n)+1, (j mod n)+1) which is output from the terminal device U_((j−2 mod n)+1), the terminal device U_((j−2 mod n)+1) includes a (j−1)-th function operation unit that generates a function value K_((j−2 mod n)+1) ^((L)) of a key-shared-between-two-parties H_((j−2 mod n)+1) ^((L)) and generates a function value K_((j−2 mod n)+1) ^((R)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1), a (j−1)-th XOR unit that generates an XOR T_((j−2 mod n)+1) of the function value K_((j−2 mod n)+1) ^((L)) and the function value K_((j−2 mod n)+1) ^((R)) and generates an XOR T′ of a function value of a random number k_((j−2 mod n)+1) and the function value K_((j−2 mod n)+1) ^((L)), and the (j−1)-th output unit that outputs the XOR T_((j−2 mod n)+1) and the XOR T′ to the key distribution management device, the terminal device U_((j mod n)|1) includes a (j+1)-th decryption unit that generates the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) by decrypting the key capsule C_((j−2 mod n)+1, (j mod n)+1) using a key capsule decryption key sk_((j mod n)+1), a (j+1)-th function operation unit that generates a function value K_((j mod n)+1) ^((L)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and generates a function value K_((j mod n)+1) ^((R)) key-shared-between-two-parties H_((j mod n)+1) ^((R)), a (j+1)-th XOR unit that generates an XOR T_((j mod n)+1) of the function value K_((j mod n)+1) ^((L)) and the function value K_((j mod n)+1) ^((R)), and the (j+1)-th output unit that outputs a random number k_((j mod n)+1) and the XOR T_((j mod n)+1) to the key distribution management device, a terminal device U_(x) includes an x-th function operation unit that generates a function value K_(x) ^((L)) of a key-shared-between-two-parties H_(x) ^((L)) and generates a function value K_(x) ^((R)) of a key-shared-between-two-parties H_(x) ^((R)), an x-th XOR unit that generates an XOR T_(x) of the function value K_(x) ^((L)) and the function value K_(x) ^((R)), and an x-th output unit that outputs a random number k_(x) and the XOR T_(x) to the key distribution management device, the key distribution management device includes a k′ generation unit that generates an XOR k′ of a plurality of values including random numbers k₁, . . . , k_(n) (excluding k_(j) and k_(j+1)) and outputs the XOR k′, and an XOR unit that generates, when y<j−1, an XOR T_(y)′ of XORs T₁, . . . , T_(y−1) and T_(j−1), . . . , T_(n) and outputs the XOR T_(y)′ and generates, when j+1≤i, an XOR T_(y)′ of XORs T_(j−1), . . . , T_(y−1) and outputs the XOR T_(y)′, the terminal device U_(y) includes a y-th function value reconstruction unit that generates the function value K_(j−2 mod n)+1) ^((L)) by XORing the XOR T_(y)′ with a function value K_(y) ^((L)), a y-th random number reconstruction unit that generates the function value of the random number k_((j−2 mod n)+1) by XORing the XOR T′ with the function value K_(j−2 mod n)+1) ^((L)), and a y-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k_((j−2 mod n)|1), which is obtained from the function value of the random number k_((j−2 mod n)+1), as a shared key SK, and a terminal device U_(j−1) includes a (j−1)-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k_((j−2 mod n)+1) as the shared key SK.
 9. A key exchange method of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising terminal devices U₁, . . . , U_(n) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, v=2, . . . , n, and, for a positive integer α, −1 mod α=α−1, and the key exchange method includes: (a) a step in which a terminal device U_(i) outputs a key encryption key pk_(i) corresponding to a key capsule decryption key sk_(i) which conforms to the post-quantum cryptography of the public key cryptosystem in order to transmit the key encryption key pk_(i) to a terminal device U_((i−2 mod n)|1), accepts a key encryption key pk_((i mod n)+1) which conforms to the post-quantum cryptography and is output from a terminal device U_((i mod n)+1), sets a random number k_(i), generates, using the key encryption key pk_((i mod n)+1), a key-shared-between-two-parties R_(i, (i mod n)+1) and a key capsule C_(i, (i mod n)+1) which is cipher text of the key-shared-between-two-parties R_(i, (i mod n)+1), outputs the key capsule C_(i, (i mod n)+1) in order to transmit the key capsule C_(1, (i mod n)+)1 to the terminal device U_((i mod n)+1), and accepts a key capsule C_((i−2 mod n)+1, i) which is output from the terminal device U_((i−2 mod n)+1), (b) a step in which the terminal device U₁ generates a key-shared-between-two-parties R_(n, 1) by decrypting a key capsule C_(n, 1) using a key capsule decryption key sk₁, generates a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n, 1) and generates a function value K₁ ^((R)) of a key-shared-between-two-parties R_(1, 2), generates an XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)) and generates an XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and outputs the XORs T₁ and T′ to the key distribution management device, (c) a step in which a terminal device U_(v) generates a key-shared-between-two-parties R_((v−2 mod n)+1, v) by decrypting a key capsule C_((v−2 mod n)|1, v) using a key capsule decryption key sk_(v), generates a function value K_(v) ^((L)) of the key-shared-between-two-parties R_((v−2 mod n)+1, v) and generates a function value K_(v) ^((R)) of a key-shared-between-two-parties R_(v, (v mod n)+1), generates an XOR T_(v) of the function value K_(v) ^((L)) and the function value K_(v) ^((R)), and outputs a random number k_(v) and the XOR T_(v) to the key distribution management device, (d) a step in which the key distribution management device generates an XOR k′ of a plurality of values including random numbers k₂, . . . , k_(n) and generates an XOR T_(v)′ of XORs T₁, . . . , T_(v−1), and outputs the XOR k′ to the terminal device U₁ and outputs the XORs T′, k′ and T_(v)′ to the terminal device U_(v), (e) a step in which the terminal device U₁ generates a function value of an XOR of the XOR k′ and the random number k₁ as a shared key SK, and (f) a step in which the terminal device U_(v) generates the function value K₁ ^((L)) by XORing the XOR T_(v)′ with the function value K_(v) ^((L)), generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and generates a function value of an XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK.
 10. A key exchange method of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising terminal devices U₁, . . . , U_(n+1) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem: and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, v=2, . . . , n, w=2, . . . , n|1, z=2, . . . , n−1, ρ=1, . . . , n−1, and, for a positive integer α, −1 mod α=α−1, and the key exchange method includes: (a) a step in which a terminal device U_(i) stores a function value r, (b) a step in which the terminal device U₁ stores a key capsule decryption key sk₁ which conforms to the post-quantum cryptography of the public key cryptosystem, and outputs a key encryption key pk₁ corresponding to the key capsule decryption key sk₁ in order to transmit the key encryption key pk₁ to the terminal device U_(n+1), (c) a step in which the terminal device U_(n+1) outputs a key encryption key pk_(n+1) corresponding to a key capsule decryption key sk_(n|1) which conforms to the post-quantum cryptography in order to transmit the key encryption key p_(n+1) to a terminal device U_(n), (d) a step in which the terminal device U_(n) accepts the key encryption key pk_(n+1) which is output from the terminal device U_(n+1), sets a random number k_(n), generates, using the key encryption key pk_(n+1), a key-shared-between-two-parties R_(n, n+1) and a key capsule C_(n, n+1) which is cipher text of the key-shared-between-two-parties R_(n, n+1,) and outputs the key capsule C_(n, n+1) in order to transmit the key capsule C_(n, n+1) to the terminal device U_(n+1), (e) a step in which the terminal device U_(n|1) accepts the key encryption key pk₁ which is output from the terminal device U₁, sets a random number k_(n+1), generates, using the key encryption key pk₁, a key-shared-between-two-parties R_(n+1, 1) and a key capsule C_(n+1, 1) which is cipher text of the key-shared-between-two-parties R_(n|1, 1), outputs the key capsule C_(n+1, 1) in order to transmit the key capsule C_(n+1, 1) to the terminal device U₁, and accepts the key capsule C_(n+1, 1) which is output from the terminal device U_(n), (f) a step in which a terminal device U_(ρ) sets a random number k_(ρ), (g) a step in which the terminal device U₁ accepts the key capsule C_(n+1, 1) which is output from the terminal device U_(n+1) generates the key-shared-between-two-parties R_(n+1, 1) by decrypting the key capsule C_(n|1, 1) using the key capsule decryption key sk₁, generates a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n+1, 1), and generates a function value K₁ ^((R)) of the function value r, generates an XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)) and generates an XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and outputs the XORs T₁ and T′ to the key distribution management device, (h) a step in which the terminal device U_(n) generates a function value K_(n) ^((L)) of the function value r and generates a function value K_(n) ^((R)) of the key-shared-between-two-parties R_(n, n+1), generates an XOR T_(n) of the function value K_(n) ^((L)) and the function value K_(n) ^((R)), and outputs a random number k_(n) and the XOR T_(n) to the key distribution management device, (i) a step in which the terminal device U_(n+1) generates the key-shared-between-two-parties R_(n, n+1) by decrypting the key capsule C_(n, n+1) using a key capsule decryption key sk_(n+1), generates a function value K_(n|1) ^((L)) of the key-shared-between-two-parties R_(n, n+1) and generates a function value K_(n+1) ^((R)) of the key-shared-between-two-parties R_(n+1, 1), generates an XOR T_(n+1) of the function value K_(n+1) ^((L)) and the function value K_(n+1) ^((R)), and outputs a random number k_(n+1) and the XOR T_(n+1) to the key distribution management device, (j) a step in which a terminal device U_(z) outputs a random number k_(z) to the key distribution management device, (k) a step in which the key distribution management device generates an XOR k′ of a plurality of values including random numbers k₂, . . . , k_(n+1) and generates an XOR T_(w)′ of XORs T₁, . . . , T_(w−1), of which XORs T₂, . . . , T_(n−1) are nulls, and outputs the XOR k′ to the terminal device U₁ and outputs the XORs T′, k′ and T_(w)′ to the terminal device U_(w), (l) a step in which the terminal device U₁ generates a function value of an XOR of the XOR k′ and the random number k₁ as a shared key SK, (m) a step in which the terminal device U_(n) generates the function value K₁ ^((L)) by XORing an XOR T_(n)′ with a function value K_(n) ^((L)), generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and generates a function value of an XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK, (n) a step in which the terminal device U_(n|1) generates the function value K₁ ^((L)) by XORing an XOR_(n+1)′ with a function value K_(n+1) ^((L)), generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and generates a function value of an XOR of the XOR k′ and the random number k₁ as the shared key SK, and (o) a step in which the terminal device U_(ρ) generates the function value K₁ ^((L)) by XORing an XOR T_(ρ)′ with the function value K₁ ^((R)) of the function value r, generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and generates a function value of an XOR of the XOR k′ and the random number k₁ as the shared key SK.
 11. A key exchange method of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising: terminal devices U₁, . . . , U_(n) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem: and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, j is an integer greater than or equal to 1 and less than or equal to n, y=1, . . . , n, y≠j, y≠(j−2 mod n)+1, x=1, . . . , n, x≠j, x≠(j−2 mod n)+1, x≠(i mod n)+1, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i), includes an i-th storage that stores keys-shared-between-two-parties H_(i) ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R)) =R_(i, (i mod n)+1), and the key exchange method includes: (a) a step in which a terminal device U_((j mod n)+1) outputs a key encryption key pk_((j mod n)|1) corresponding to a key capsule decryption key sk_((j mod n)+1) which conforms to the post-quantum cryptography of the public key cryptosystem in order to transmit the key capsule decryption key sk_((j mod n)+1) to a terminal device U_((j−2 mod n)+1), (b) a step in which the terminal device U_((j−2 mod n)+1) accepts the key encryption key pk_((j mod n)+1) which is output from the terminal device U_((j mod n)+1), sets a random number k_((j−2 mod n)+1), generates, using the key encryption key pk_((j mod n)+1), a key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and a key capsule C_((j−2 mod n)+1, (j mod n)+1) which is cipher text of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1), and outputs the key capsule C_((j−2 mod n)|1, (j mod n)|1) in order to transmit the key capsule C_((j−2 mod n)+1, (j mod n)+1) to the terminal device U_((j mod n)+1), (c) a step in which a terminal device U_(y) sets a random number k_(y), accepts the key capsule C_((j−2 mod n)+1, (j mod n)+1) which is output from the terminal device U_((j−2 mod n)+1), (d) a step in which the terminal device U_((j−2 mod n)+1) generates a function value K_((j−2 mod n)+1) ^((L)) of a key-shared-between-two-parties H_((j−2 mod n)+1) ^((L)) and generates a function value K_((j−2 mod n)+1) ^((R)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1), generates an XOR T_((j−2 mod n)+1) of the function value K_((j−2 mod n)+1) ^((L)) and the function value K_(j−2 mod n)+1) ^((R)) and generates an XOR T′ of a function value of a random number k_((j−2 mod n)|1) and the function value K_((j−2 mod n)|1) ^((L)), and outputs the XOR T_((j−2 mod n)+1) and the XOR T′ to the key distribution management device, (e) a step in which the terminal device U_((j mod n)|1) generates the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) by decrypting the key capsule C_((j−2 mod n)+1, (j mod n)+1) using a key capsule decryption key sk_((j mod n)+1), generates a function value K_((j mod n)+1) ^((L)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and generates a function value K_((j mod n)+1) ^((R)) of a key-shared-between-two-parties H_((j mod n)+1) ^((R)), generates an XOR T_((j mod n)+1) of the function value K_((j mod n)+1) ^((L)) and the function value K_((j mod n)+1) ^((R)), and outputs a random number k_((j mod n)+1) and the XOR T_((j mod n)+1) ^((L)) to the key distribution management device, (f) a step in which a terminal device U_(x) generates a function value K_(x) ^((L)) of a key-shared-between-two-parties H_(x) ^((L)) and generates a function value K_(x) ^((R)) of a key-shared-between-two-parties H_(x) ^((R)), generates an XOR T_(x) of the function value K_(x) ^((L)) and the function value K_(x) ^((R)), and outputs a random number k_(x) and the XOR T to the key distribution management device, (g) a step in which the key distribution management device generates an XOR k′ of a plurality of values including random numbers k₁, . . . , k_(n) (excluding k_(j) and k_(j+1)) and outputs the XOR k′, and generates, when y<j−1, an XOR T_(y)′ of XORs T₁, . . . , T_(y−1) and T_(j−1), . . . , T_(n) and outputs the XOR T_(y)′ and generates, when j+1<i, an XOR T_(y)′ of XORs T_(j−1), . . . , T_(y−1) and outputs the XOR T_(y)′, (h) a step in which the terminal device U_(y) generates the function value K_((j−2 mod n)+1) ^((L)) by XORing the XOR T_(y)′ with a function value K_(y) ^((L)), generates the function value of the random number k_((j−2 mod n)+1) by XORing the XOR T′ with the function value K_((j−2 mod n)+1) ^((L)), and generates a function value of an XOR of the XOR k′ and the random number k_((j−2 mod n)+1), which is obtained from the function value of the random number k_(j−2 mod n)+1), as a shared key SK, and (i) a step in which a terminal device U_(j−i) generates a function value of an XOR of the XOR k′ and the random number k_((j−2 mod n)+1) as the shared key SK.
 12. A non-transitory computer-readable recording medium that stores a program for making a computer function as the terminal device U_(i) of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising terminal devices U₁, . . . , U_(n) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, v=2, . . . , n, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i) includes an i-th storage that stores a key capsule decryption key sk_(i) which conforms to the post-quantum cryptography of the public key cryptosystem, an i-th output unit that outputs a key encryption key pk_(i) corresponding to the key capsule decryption key sk_(i) in order to transmit the key encryption key pk_(i) to a terminal device U_((i−2 mod n)|1), an i-th input unit that accepts a key encryption key pk_((i mod n)+1) which conforms to the post-quantum cryptography and is output from a terminal device U_((i mod n)+1), an i-th random number setting unit that sets a random number k₁, an i-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_((i mod n)+1), a key-shared-between-two-parties R_(i, (i mod n)+1) and a key capsule C_(i, (i mod n)+1) which is cipher text of the key-shared-between-two-parties R_(i, (i mod n)+1) and the i-th output unit that outputs the key capsule C_((i mod n)+1) in order to transmit the key capsule C_(i, (i mod n)+1) to the terminal device U_((i mod n)+1), the i-th input unit accepts a key capsule C_((i−2 mod n)+1, i) which is output from the terminal device U_((i−2 mod n)+1), the terminal device U₁ includes a first decryption unit that generates a key-shared-between-two-parties R_(n, 1) by decrypting capsule C_(n, 1) using a key capsule decryption key sk₁, a first function operation unit that generates a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n, 1) and generates a function value K₁ ^((R)) of a key-shared-between-two-parties R_(1, 2), a first XOR unit that generates an XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)) and generates an XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and a first output unit that outputs the XORs T₁ and T′ to the key distribution management device, a terminal device U_(v) includes a v-th decryption unit that generates a key-shared-between-two-parties R_((v−2 mod n)+1, v) by decrypting a key capsule C_((v−2 mod n)+1, v) using a key capsule decryption key sk_(v), a v-th function operation unit that generates a function value K_(v) ^((L)) of the key-shared-between-two-parties R_((v−2 mod n)+1, v) and generates a function value K_(v) ^((R)) of a key-shared-between-two-parties R_(v, (v mod n)+1), a v-th XOR unit that generates an XOR T_(v) of the function value K_(v) ^((L)) and the function value K_(v) ^((R)), and a v-th output unit that outputs a random number k_(v) and the XOR T_(v) to the key distribution management device, the key distribution management device includes an XOR unit that generates an XOR k′ of a plurality of values including random numbers k₂, . . . , K_(n) generates an XOR T_(v)′ of XORs T₁, . . . , T_(v−1), and outputs the XOR k′ to the terminal device U₁ and outputs the XORs T′, k′ and T_(v)′ to the terminal device U_(v), the terminal device U₁ includes a first shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as a shared key SK, and the terminal device U_(v) includes a v-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing the XOR T_(v)′ with the function value K_(v) ^((L)), a v-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and a v-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK.
 13. A non-transitory computer-readable recording medium that stores a program for making a computer function as the terminal device U_(i″) of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising terminal devices U₁, . . . , U_(n+1) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i″=1, . . . , n+1, i=1, . . . , n, v=2, . . . , n, w=2, n+1, z=2, . . . , n−1, ρ=1, . . . , n−1, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i) includes an i-th storage that stores a function value r, the terminal device U₁ includes a first storage that stores a key capsule decryption key sk₁ which conforms to the post-quantum cryptography of the public key cryptosystem, and a first output unit that outputs a key encryption key pk₁ corresponding to the key capsule decryption key sk₁ in order to transmit the key encryption key pk₁ to the terminal device U_(n+1), the terminal device U_(n+1) includes an (n+1)-th storage that stores a key capsule decryption key sk_(n+1) which conforms to the post-quantum cryptography, and an (n+1)-th output unit that outputs a key encryption key pk_(n+1) corresponding to the key capsule decryption key sk_(n+1) in order to transmit the key encryption key pk_(n+1) to a terminal device U_(n), the terminal device U_(n) includes an n-th input unit that accepts the key encryption key pk_(n+1) which is output from the terminal device U_(n+1), an n-th random number setting unit that sets a random number k_(n), an n-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_(n|1), a key-shared-between-two-parties R_(n, n|1) and a key capsule C_(n, n|1) which is cipher text of the key-shared-between-two-parties R_(n, n+1), and an n-th output unit that outputs the key capsule C_(n, n+1) in order to transmit the key capsule C_(n, n+1) to the terminal device U_(n+1), the terminal device U_(n+1) includes an (n+1)-th input unit that accepts the key encryption key pk₁ which is output from the terminal device an (n+1)-th random number setting unit that sets a random number k_(n+1), an (n+1)-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk₁, a key-shared-between-two-parties R_(n+1, 1) and a key capsule C_(n+1, 1) which is cipher text of the key-shared-between-two-parties R_(n+1, 1), the (n+1)-th output unit that outputs the key capsule C_(n|1, 1) in order to transmit the key capsule C_(n+1, 1) to the terminal device U₁, and the (n+1)-th input unit that accepts the key capsule C_(n, n+1) which is output from the terminal device U_(n), a terminal device U_(ρ) includes a ρ-th random number setting unit that sets a random number k_(ρ), the terminal device U₁ includes a first input unit that accepts the key capsule C_(n+1, 1) which is output from the terminal device U_(n+1), a first decryption unit that generates the key-shared-between-two-parties R_(n+1, 1) by decrypting the key capsule C_(n+1, 1) using the key capsule decryption key sk₁, a first function operation unit that generates a function value K₁ ^((L)) of the key-shared-between-two-parties R_(n+1, 1) and generates a function value K₁ ^((R)) of the function value r, a first XOR unit that generates an XOR T₁ of the function value K₁ ^((L)) and the function value K₁ ^((R)) and generates an XOR T′ of a function value of a random number k₁ and the function value K₁ ^((L)), and the first output unit that outputs the XORs T₁ and T′ to the key distribution management device, the terminal device U_(n) includes an n-th function operation unit that generates a function value K_(n) ^((L)) of the function value r and generates a function value K_(n) ^((R)) of the key-shared-between-two-parties R_(n, n+1), an n-th XOR unit that generates an XOR T_(n) of the function value K_(n) ^((L)) and the function value K_(n) ^((R)), and the n-th output unit that outputs a random number k_(n) and the XOR T_(n) to the key distribution management device, the terminal device U_(n+1) includes an (n+1)-th decryption unit that generates the key-shared-between-two-parties R_(n, n+1) by decrypting the key capsule C_(n, n+1) using a key capsule decryption key sk_(n+1), an (n+1)-th function operation unit that generates a function value K_(n+1) ^((L)) of the key-shared-between-two-parties R_(n, n+1) and generates a function value K_(n+1) ^((R)) of the key-shared-between-two-parties R_(n+1, 1), an (n+1)-th XOR unit that generates an XOR T_(n+1) of the function value K_(n+1) ^((L)) and the function value K_(n+1) ^((R)), and the (n+1)-th output unit that outputs a random number k_(n+1) and the XOR T_(n+1) to the key distribution management device, a terminal device U_(z) includes a z-th output unit that outputs a random number k_(z) to the key distribution management device, the key distribution management device includes an XOR unit that generates an XOR k′ of a plurality of values including random numbers k₂, . . . , k_(n+1) and generates an XOR T_(w)′ of XORs T₁, . . . , T_(w−1), of which XORs T₂, . . . , T_(n−1) are nulls, and outputs the XOR k′ to the terminal device U₁ and outputs the XORs T′, k′ and T_(w)′ to the terminal device U_(w), the terminal device U₁ includes a first shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as a shared key SK, the terminal device U_(n) includes an n-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(n)′ with a function value K_(n) ^((L)), an n-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and an n-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁, which is obtained from the function value of the random number k₁, as the shared key SK, the terminal device U_(n+1) includes an (n+1)-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(n−1)′ with a function value K_(n+1) ^((L)), and an (n+1)-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR with the function value K₁ ^((L)), and an (n+1)-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as the shared key SK, and the terminal device U_(ρ) includes a ρ-th function value reconstruction unit that generates the function value K₁ ^((L)) by XORing an XOR T_(ρ)′ with the function value K₁ ^((R)) of the function value r, a ρ-th random number reconstruction unit that generates the function value of the random number k₁ by XORing the XOR T′ with the function value K₁ ^((L)), and a ρ-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k₁ as the shared key SK.
 14. A non-transitory computer-readable recording medium that stores a program for making a computer function as the terminal device U_(i) of a key exchange system which exchanges a shared key used for an application using cryptography, the key exchange system comprising terminal devices U₁, . . . , U_(n) which perform a key capsule-type key exchange between two parties which conforms to post-quantum cryptography of a public key cryptosystem; and a key distribution management device, wherein n is an integer greater than or equal to 3, i=1, . . . , n, j is an integer greater than or equal to 1 and less than or equal to n, y=1, . . . , n, y≠j, y≠(j−2 mod n)+1, x=1, . . . , n, x≠j, x≠(j−2 mod n)+1, x (j mod n)+1, and, for a positive integer α, −1 mod α=α−1, a terminal device U_(i) includes an i-th storage that stores keys-shared-between-two-parties H_(i) ^((L))=R_((i−2 mod n)+1, i) and H_(i) ^((R))=R_(i, (i mod n)+1), a terminal device U_((j mod n)+1) includes a (j+1)-th storage that stores a key capsule decryption key sk_((j mod n)+1) which conforms to the post-quantum cryptography of the public key cryptosystem, and a (j+1)-th output unit that outputs a key encryption key pk_((j mod n)+1) corresponding to the key capsule decryption key sk_((j mod n)+1) in order to transmit the key capsule decryption key sk_((j mod n)+1) to a terminal device U_((j−2 mod n)+1), the terminal device U_((j−2 mod n)+1) includes a (j−1)-th input unit that accepts the key encryption key pk_((j mod n)+1) which is output from the terminal device U_((j mod n)|1), a (j−1)-th random number setting unit that sets a random number k_((j−2 mod n)+1), a (j−1)-th key-shared-between-two-parties generation unit that generates, using the key encryption key pk_((j mod n)+1), a key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and a key capsule C_((j−2 mod n)+1, (j mod n)+1) which is cipher text of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1), and a (j−1)-th output unit that outputs the key capsule C_((j−2 mod n)+1, (j mod n)+1) in order to transmit the key capsule C_((j−2 mod n)+1, (j mod n)+1) to the terminal device U_((j mod n)+1), a terminal device U_(y) includes a y-th random number setting unit that sets a random number k_(y), the terminal device U_((j mod n)+1) includes a (j+1)-th input unit that accepts the key capsule C_((j−2 mod n)|1, (j mod n)|1) which is output from the terminal device U_((j−2 mod n)|), the terminal device U_((j−2 mod n)+1) includes a (j−1)-th function operation unit that generates a function value K_((j−2 mod n)+1) ^((L)) of a key-shared-between-two-parties H_((j−2 mod n)+1) ^((L)) and generates a function value K_((j−2 mod n)+1) ^((R)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1), a (j−1)-th XOR unit that generates an XOR T_((j−2 mod n)+1) of the function value K_((j−2 mod n)+1) ^((L)) and the function value K_((j−2 mod n)+1) ^((R)) and generates an XOR T′ of a function value of a random number k_((j−2 mod n)+1) and the function value K_((j−2 mod n)+1) ^((L)), and the (j−1)-th output unit that outputs the XOR T_((j−2 mod n)+1) and the XOR T′ to the key distribution management device, the terminal device U_((j mod n)+1) includes a (j+1)-th decryption unit that generates the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) by decrypting the key capsule C_((j−2 mod n)+1, (j mod n)+1) using a key capsule decryption key sk_((j mod n)|1), a (j+1)-th function operation unit that generates a function value K_((j mod n)+1) ^((L)) of the key-shared-between-two-parties R_((j−2 mod n)+1, (j mod n)+1) and generates a function value K_((j mod n)+1) ^((R)) of a key-shared-between-two-parties H_((j mod n)+1) ^((R)), a (j+1)-th XOR unit that generates an XOR T_((j mod n)+1) of the function value K_((j mod n)+1) ^((L)) and the function value K_((j mod n)+1) ^((R)), and the (j+1)-th output unit that outputs a random number k_((j mod n)+1) and the XOR T_((j mod n)+1) to the key distribution management device, a terminal device U_(x) includes an x-th function operation unit that generates a function value K_(x) ^((L)) of a key-shared-between-two-parties H_(x) ^((L)) and generates a function value K_(x) ^((R)) of a key-shared-between-two-parties H_(x) ^((R)), an x-th XOR unit that generates an XOR T_(x) of the function value K_(x) ^((L)) and the function value K_(x) ^((R)), and an x-th output unit that outputs a random number k_(x) and the XOR T_(x) to the key distribution management device, the key distribution management device includes a k′ generation unit that generates an XOR k′ of a plurality of values including random numbers k₁, . . . , k_(n) (excluding k_(j) and k_(j+)) and outputs the XOR k′, and an XOR unit that generates, when y<j−1, an XOR T_(y)′ of XORs T₁, . . . , T_(y−1) and T_(j−1), . . . , T_(n) and outputs the XOR T_(y)′ and generates, when j+1≤i, an XOR T_(y)′ of XORs T_(j−1), . . . , T_(y−1) and outputs the XOR T_(y)′, the terminal device U_(y) includes a y-th function value reconstruction unit that generates the function value K_((j−2 mod n)+1) ^((L)) by XORing the XOR T_(y)′ with a function value K_(y) ^((L)), a y-th random number reconstruction unit that generates the function value of the random number k_((j−2 mod n)+1) by XORing the XOR T′ with the function value K_(j−2 mod n)+1) ^((L)), and a y-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k_((j−2 mod n)+1), which is obtained from the function value of the random number k_((j−2 mod n)+1), as a shared key SK, and a terminal device U_(j−1) includes a (j−1)-th shared key generation unit that generates a function value of an XOR of the XOR k′ and the random number k_((j−2 mod n)+1) as the shared key SK. 